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SYMANTEC APPLIANCE LICENSE AND WARRANTY AGREEMENT 



SYMANTEC CORPORATION AND/OR ITS SUBSIDIARIES ("SYMANTEC") IS WILLING TO LICENSE THE SOFTWARE 
INCLUDED WITH THE APPLIANCE YOU HAVE PURCHASED TO YOU AS AN INDIVIDUAL, THE COMPANY, OR THE 
LEGAL ENTITY THAT WILL BE UTILIZING THE SOFTWARE (REFERENCED BELOW AS "YOU OR YOUR") AND TO 
PROVIDE WARRANTIES ON THE APPLIANCE ONLY ON THE CONDITION THAT YOU ACCEPT ALL OF THE TERMS OF 
THIS LICENSE AND WARRANTY AGREEMENT. READ THE TERMS AND CONDITIONS OF THIS LICENSE AND 
WARRANTY AGREEMENT CAREFULLY BEFORE USING THE APPLIANCE. THIS IS A LEGAL AND ENFORCEABLE 
CONTRACT BETWEEN YOU AND SYMANTEC. BY OPENING THIS PACKAGE, BREAKING THE SEAL, CLICKFNG ON 
THE "AGREE" OR "YES" BUTTON OR OTHERWISE INDICATING ASSENT ELECTRONICALLY, REQUESTING A 
LICENSE KEY OR USING THE SOFTWARE AND THE APPLIANCE, YOU AGREE TO THE TERMS AND CONDITIONS OF 
THIS AGREEMENT. IF YOU DO NOT AGREE TO THESE TERMS AND CONDITIONS, CLICK ON THE "I DO NOT AGREE" 
OR "NO" BUTTON IF APPLICABLE AND DO NOT USE THE SOFTWARE AND THE APPLIANCE. 

1. Software License: 

Except for the software, if any, described in the Excluded Software section at the end of this agreement (the ("Excluded Software"), the 
software (the "Software") which accompanies the appliance you have purchased (the "Appliance") is the property of Symantec or its 
licensors and is protected by copyright law. While Symantec continues to own the Software, you will have certain rights to use the 
Software after your acceptance of this license. This license governs any releases, revisions, or enhancements to the Software that the 
Licensor may furnish to you as well as the copy of the Software provided to you on a CD-ROM or other media in connection with the 
Appliance (the "Restore Software"). Except as may be modified by a Symantec license certificate, license coupon, or license key (each 
a "License Module") which accompanies, precedes, or follows this license, your rights and obligations with respect to the use of this 
Software are as follows: 

You may: 

A. use the Software solely as part of the Appliance for no more than the number of users as have been licensed to you by Symantec 
under a License Module; 

B. use the Restore Software solely to restore the Appliance to its original factory functionality in the event the Software preloaded 
on the Appliance is corrupted or becomes unusable; 

C. make copies of the printed documentation which accompanies the Appliance as necessary to support your authorized use of the 
Appliance; and 

D. after written notice to Symantec, in connection with a transfer of the Appliance, transfer the Software on a permanent basis to 
another person or entity, provided that you retain no copies of the Software, Symantec consents to the transfer and the transferee 
agrees in writing to the terms of this agreement. 

You may not: 

A. sublicense, rent or lease any portion of the Software; reverse engineer, decompile, disassemble, modify, translate, make any 
attempt to discover the source code of the Software, or create derivative works from the Software; 

B. use the Restore Software for any purpose other than to restore the Appliance to the original factory functionality; 

C. use, if you received the Software distributed on an Appliance containing multiple Symantec products, any Symantec software on 
the Appliance for which you have not received a permission in a License Module; or 

D. use the Software in any manner not authorized by this license. 

2. Content Updates: 

Certain Symantec software products utilize content that is updated from time to time (antivirus products utilize updated virus 
definitions; content filtering products utilize updated URL lists; firewall products utilize updated firewall rules; vulnerability 
assessment products utilize updated vulnerability data, etc.; collectively, these are referred to as "Content Updates"). You may obtain 
Content Updates for any period for which you have purchased a subscription for Content Updates for the product or otherwise 
separately acquired the right to obtain Content Updates. This license does not otherwise permit you to obtain and use Content Updates. 



3. Limited Warranty: 

Symantec warrants that the media on which the Restore Software is distributed will be free from defects for a period of thirty (30) days 
from the date of purchase of the Appliance. Your sole remedy in the event of a breach of this warranty will be that Symantec will, at its 
option, replace any defective media returned to Symantec within the warranty period or refund the money you paid for the Restore 
Software. 

Symantec warrants that the Software will perform on the Appliance in substantial compliance with the written documentation 
accompanying the Appliance for a period of thirty (30) days from the date of purchase of the Appliance. Your sole remedy in the event 
of a breach of this warranty will be that Symantec will, at its option, repair or replace any defective Software returned to Symantec 
within the warranty period or refund the money you paid for the Appliance. 

Symantec warrants that the hardware component of the Appliance (the "Hardware") shall be free from defects in material and 
workmanship under normal use and service and substantially conform to the written documentation accompanying the Appliance for a 
period of three hundred sixty-five (365) days from the date of purchase of the Appliance. Your sole remedy in the event of a breach of 
this warranty will be that Symantec will, at its option, repair or replace any defective Hardware returned to Symantec within the 
warranty period or refund the money you paid for the Appliance. 

The warranties contained in this agreement will not apply to any Software or Hardware which: 

A. has been altered, supplemented, upgraded or modified in any way; or 

B. has been repaired except by Symantec or its designee. 

Additionally, the warranties contained in this agreement do not apply to repair or replacement caused or necessitated by: (i) events 
occurring after risk of loss passes to You such as loss or damage during shipment; (ii) acts of God including without limitation natural 
acts such as fire, flood, wind earthquake, lightning or similar disaster; (iii) improper use, environment, installation or electrical supply, 
improper maintenance, or any other misuse, abuse or mishandling; (iv) governmental actions or inactions; (v) strikes or work 
stoppages; (vi) Your failure to follow applicable use or operations instructions or manuals; or (vii) such other events outside 
Symantec's reasonable control. 

Upon discovery of any failure of the Hardware, or component thereof, to conform to the applicable warranty during the applicable 
warranty period, You are required to contact us within ten (10) days after such failure and seek a return material authorization 
("RMA") number. Symantec will promptly issue the requested RMA as long as we determine that you meet the conditions for 
warranty service. The allegedly defective Appliance, or component thereof, shall be returned to Symantec, securely and properly 
packaged, freight and insurance prepaid, with the RMA number prominently displayed on the exterior of the shipment packaging and 
with the Appliance. Symantec will have no obligation to accept any Appliance which is returned without an RMA number. 

Upon completion of repair or if Symantec decides, in accordance with the warranty, to replace a defective Appliance, Symantec will 
return such repaired or replacement Appliance to You, freight and insurance prepaid. In the event that Symantec, in its sole discretion, 
determines that it is unable to replace or repair the Hardware, Symantec will refund to You the F.O.B. price paid by You for the 
defective Appliance. Defective Appliances returned to Symantec will become the property of Symantec. 

Symantec does not warrant that the Appliance will meet your requirements or that operation of the Appliance will be uninterrupted or 
that the Appliance will be error-free. 

THE ABOVE WARRANTIES ARE EXCLUSIVE AND IN LIEU OF ALL OTHER WARRANTIES, WHETHER EXPRESS OR 
IMPLIED, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE 
AND NONINFRINGEMENT OF INTELLECTUAL PROPERTY RIGHTS. THIS WARRANTY GIVES YOU SPECIFIC LEGAL 
RIGHTS. YOU MAY HAVE OTHER RIGHTS, WHICH VARY FROM STATE TO STATE. 

4. Disclaimer of Damages: 

SOME STATES AND COUNTRIES, INCLUDING MEMBER COUNTRIES OF THE EUROPEAN ECONOMIC AREA, DO NOT 
ALLOW THE LIMITATION OR EXCLUSION OF LIABILITY FOR INCIDENTAL OR CONSEQUENTIAL DAMAGES SO THE 
BELOW LIMITATION OR EXCLUSION MAY NOT APPLY TO YOU. 

TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW AND REGARDLESS OF WHETHER ANY REMEDY SET 
FORTH HEREIN FAILS OF ITS ESSENTIAL PURPOSE, IN NO EVENT WILL SYMANTEC OR ITS LICENSORS BE LIABLE 
TO YOU FOR ANY SPECIAL, CONSEQUENTIAL, INDIRECT OR SIMILAR DAMAGES, INCLUDING ANY LOST PROFITS 
OR LOST DATA ARISING OUT OF THE USE OR INABILITY TO USE THE SOFTWARE EVEN IF SYMANTEC HAS BEEN 
ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. 
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IN NO CASE SHALL SYMANTEC'S OR ITS LICENSORS' LIABILITY EXCEED THE PURCHASE PRICE FOR THE 
APPLIANCE. The disclaimers and limitations set forth above will apply regardless of whether you accept the Software or the 
Appliance. 

5. U.S. Government Restricted Rights: 

RESTRICTED RIGHTS LEGEND. All Symantec products and documentation are commercial in nature. The software and software 
documentation are "Commercial Items", as that term is defined in 48 C.F.R. section 2.101, consisting of "Commercial Computer 
Software" and "Commercial Computer Software Documentation", as such terms are defined in 48 C.F.R. section 252.227-70 14(a)(5) 
and 48 C.F.R. section 252.227-7014(a)(l), and used in 48 C.F.R. section 12.212 and 48 C.F.R. section 227.7202, as applicable. 
Consistent with 48 C.F.R. section 12.212, 48 C.F.R. section 252.227-7015, 48 C.F.R. section 227.7202 through 227.7202-4, 48 C.F.R. 
section 52.227-14, and other relevant sections of the Code of Federal Regulations, as applicable, Symantec's computer software and 
computer software documentation are licensed to United States Government end users with only those rights as granted to all other end 
users, according to the terms and conditions contained in this license agreement. Manufacturer is Symantec Corporation, 20330 
Stevens Creek Blvd., Cupertino, CA 95014. 

6. Export Regulation: 

You agree to comply strictly with all applicable export control laws, including the US Export Administration Act and its associated 
regulations and acknowledge Your responsibility to obtain licenses as required to export, re-export or import the Appliance. Export or 
re-export of the Appliance to Cuba, North Korea, Iran, Iraq, Libya, Syria or Sudan is prohibited. 

7. General: 

If You are located in North America or Latin America, this Agreement will be governed by the laws of the State of California, United 
States of America. Otherwise, this Agreement will be governed by the laws of England. This Agreement and any related License 
Module is the entire agreement between You and Symantec relating to the Appliance and: (i) supersedes all prior or contemporaneous 
oral or written communications, proposals and representations with respect to its subject matter; and (ii) prevails over any conflicting 
or additional terms of any quote, order, acknowledgment or similar communications between the parties. This Agreement may only be 
modified by a License Module or by a written document which has been signed by both You and Symantec. This Agreement shall 
terminate upon Your breach of any term contained herein and You shall cease use of and destroy all copies of the Software and shall 
return the Appliance to Symantec. The disclaimers of warranties and damages and limitations on liability shall survive termination. 
Should you have any questions concerning this Agreement, or if you desire to contact Symantec for any reason, please write: (i) 
Symantec Customer Service, 175 W. Broadway, Eugene, OR 97401, USA, or (ii) Symantec Customer Service Center, PO BOX 5689, 
Dublin 15, Ireland. 

8. Excluded Software: 

The Excluded Software consists of the open source code software known as Linux included with the Appliance. All Excluded Soft- 
ware is licensed under the GNU General Public License, Version 2, June 1991, a copy of which is included with the user documenta- 
tion for the Appliance. The license entitles You to receive a copy of the source code for Linux only upon request at a nominal charge. 
If you are interested in obtaining a copy of such source code, please contact Symantec Customer Service at one of the above addresses 
for further information. 



V 



Service and support solutions 



Service and support information is available from the Help system of your Symantec product. Click the 
Service and Support topic in the Help index. 

Technical support 

Symantec offers several technical support options: 
StandardCare support 

Connect to the Symantec Service & Support Web site at http://service.symantec.com, then select 
your product and version. This gives you access to product knowledge bases, interactive 
troubleshooter, Frequently Asked Questions (FAQ), and more. 

PriorityCare, GoldCare, and PlatinumCare support 

Fee-based telephone support services are available to all registered customers. For complete 
information, please call our automated fax retrieval service at (800) 554-4403 and request 
document 933000. 

For telephone support information, connect to http://service.symantec.com, select your product and 
version, and then click Go! On the Service & Support page for your product, click Contact 
Options. 

Automated fax retrieval 

Use your fax machine to receive general product information, fact sheets, and product upgrade 
order forms by calling (800) 554-4403. For technical application notes, call (541) 984-2490. 

Support for old and discontinued versions 

When a new version of this software is released, registered users will receive upgrade information in the 
mail. Telephone support will be provided for the old version for six months after the release of the new 
version. Technical information may still be available through the Service & Support Web site (http:// 
service.symantec.com). 

When Symantec announces that a product will no longer be marketed or sold, telephone support will be 
discontinued 60 days later. Support will be available for discontinued products from the Service & Support 
Web site only. 
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Customer service 



Visit Symantec Customer Service online at http://service.symantec.com for assistance with non-technical 
questions and for information on how to do the following: 

Subscribe to the Symantec Support Solution of your choice. 
Obtain product literature or trialware. 
Locate resellers and consultants in your area. 

Replace missing or defective CD-ROMS, disks, manuals, and so on. 
Update your product registration with address or name changes. 
• Get order, return, or rebate status information. 
Access customer service FAQs. 
Post a question to a Customer Service representative. 

For upgrade orders, visit the online upgrade center at: http://www.symantec.com/upgrades/ or call the 
Customer Service Order Desk at (800) 568-9501. 

Worldwide service and support 

Technical support and customer service solutions vary by country. For information on Symantec and 
International Partner locations outside of the United States, please contact one of the service and support 
offices listed below, or connect to http://www.symantec.com, select the country you want information 
about, and click Go! 



Service and support offices 



North America 



Symantec Corporation 
175 W. Broadway 
Eugene, OR 97401 
U.S.A. 

Automated Fax Retrieval 



http://www.symantec.com/ 
Fax: (541) 984-8020 



(800) 554-4403 
(541) 984-2490 



Argentina and Uruguay 



Symantec Region Sur 
Cerrito 1054 - Piso 9 
1010 Buenos Aires 
Argentina 



http://www.service.symantec.com/mx 
+54(11) 5382-3802 
Fax: +54 (11) 5382-3888 



Asia/Pacific Rim 



Symantec Australia Pty. Ltd. 
408 Victoria Road 
Gladesville, NSW 2111 
Australia 



http : //w w w. Symantec . com/region/ reg_ap/ 
+61 (2) 9850-1000 
Fax: +61 (2) 9817-4550 



Brazil 



Symantec Brasil 

Market Place Tower 

Av. Dr. Chucri Zaidan, 920 

12° andar 

Sao Paulo - SP 

CEP: 04583-904 

Brasil, SA 



http://www.service. Symantec, com/br 
+55 (11) 5189-6300 
Fax: +55 (11) 5189-6210 
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Europe, Middle East, and Africa 



Symantec Customer Service Center 
P.O. Box 5689 
Dublin 15 
Ireland 

Automated Fax Retrieval 



http://www.symantec.com/region/reg_eu/ 
+353 (1) 811 8032 
Fax: +353 (1) 811 8033 



+31 (71) 408-3782 



Mexico 

Symantec Mexico http://www.service.symantec.com/mx 

Blvd Adolfo Ruiz Cortines, +52 (5) 48 1 -2600 

No. 3642 Piso 14 Fax: + 52 (5) 481-2626 

Col. Jardines del Pedregal 

Ciudad de Mexico, D.F 

CP. 01900 

Mexico 



Other Latin America 



Symantec Corporation http://www.service.symantec.com/mx 

9100 South Dadeland Blvd. 

Suite 1810 

Miami, FL 33156 

U.S.A. 



Subscription policy 



If your Symantec product includes virus, firewall, or web content protection, you might be entitled to 
receive protection updates via LiveUpdate. The length of the subscription could vary by Symantec product. 

When you near the end of your subscription, you will be prompted to subscribe when you start LiveUpdate. 
Simply follow the instructions on the screen. After your initial subscription ends, you must renew your 
subscription before you can update your virus, firewall, or web content protection. Without these updates, 
your vulnerability to attack increases. Renewal subscriptions are available for a nominal charge. 

Every effort has been made to ensure the accuracy of this information. However, the information contained 
herein is subject to change without notice. Symantec Corporation reserves the right for such change without 
prior notice. 
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Product Overview 



The Symantec Firewall/VPN appliance family of products address the complete set of needs for a 
small office, remote office, branch office or small business to easily and securely get networked and 
connected to an Internet Service Provider or central office. The Symantec Firewall/VPN appliance 
protects your computers from intrusion. The Firewall feature makes your network "invisible" from 
the outside and it turns away all unauthorized external requests for information from your network. 

The Symantec Firewall/VPN also offers a complete "Turnkey" VPN solution. You can enable your 
company to communicate securely using the Internet as your own private corporate network. This 
allows telecommuters, remote offices, trusted partners, and vendors to access your servers while 
maintaining the security you and your users require. The Symantec Firewall/VPN is designed for 
small or remote offices connected by DSL, Tl lines, or cable modems. 

The Symantec Firewall/VPN also allows you to share your high-speed broadband Internet 
connection with more than one computer. You can use it to network all of your office's PCs, 
printers, and servers quickly and easily to create a local area network. Unlike other similar home 
office products, this family of products provides advanced capabilities needed by businesses such as 
integrated high availability, automatic dial-up backup and virtual private networking (VPN). 

Firewall - Stateful Inspection 

Stateful Inspection provides protection against hackers while enabling high speed access to the 
Internet. It also supports advanced functions that enable more flexible configuration. The Symantec 
Firewall/VPN works with and complements our enterprise firewalls such as the Symantec 
Enterprise Firewall or VelociRaptor. It is not a replacement for enterprise firewalls, but is designed 
to provide the right suite of features at the right price. 
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Networking 

The Symantec Firewall/VPN also enables a local area network (LAN). This allows all the 
connected computers to share files, printers, and other network devices. The multiport 10/100 
switch working with the built in DHCP server enables multiple users to connect to a shared 
network with nothing more than a standard ethernet cable. The DHCP server "leases" IP addresses 
to computers as they connect to a local network. This combination ensures quick and easy network 
setup for even the most inexperienced PC users. Also included is PPPoE support and features such 
as NAT and PAT. 

Virtual Private Networking (VPN) 

The VPN feature of the Symantec Firewall/VPN enables secure and inexpensive tunneling between 
the local site and other sites, such as the central office or ISP. All of the Symantec Firewall/VPN 
models act as VPN gateways (VPN end points) for gateway to gateway VPN tunnels and remote 
client VPN to gateway tunnels (model 200R). 

High Availability / Load Balancing 

The Symantec Firewal 1/VPN 200 and 200R models include 2 WAN side ports that can load share 
across the two ports and even across two service providers using different internet connection 
technology (for example DSL and cable). 

Automatic Dial Up Back Up 

Models 100, 200 and 200R include the ability to interface with an analog modem for auto dial-up 
backup. The Dial Up Back Up automatically engages a dial-up connection to the internet, using the 
serial port, if the primary internet connection fails. This ensures some level of connectivity even if 
your main Internet connection fails. It will automatically disengage when the primary connection 
returns. The serial port is used for analog or ISDN connections as well as pre-configuring or 
resetting the unit via a terminal console. The serial port can be used in Back Up mode or as the sole 
Internet connection of the unit until broadband is available in your area. 

IP Address Sharing 

The IP Address Sharing feature allows one or two external IP addresses to be shared across an 
entire office. This sharing creates many unique internal IP addresses from one or two external IP 
addresses and enables cost efficient use of Internet connectivity. 
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Features 



Logging - Onboard Logging 

The Symantec Firewall/VPN creates a local log or record of configuration changes and security- 
related events. These logs are remotely accessible using an encrypted management link. The level 
of logging is configurable. 

Remote Accessibility 

The Secure Remote Management feature ensures accessibility that an ISP or a central office to 
manage these devices from a remote location. The Symantec Firewall/VPN can also be monitored 
via SNMPvl Tools. These tools are available for download and range in price from free to very 
expensive. Logs can be generated by these tools for a complete picture of network performance. 

IPSec/VPN Pass Through 

In addition to creating VPN tunnels using the Symantec Firewall/VPN as an end point, the 
Symantec Firewall/VPN automatically recognizes IPSec VPN sessions and allows them to pass 
through the firewall. Enabling VPN sessions from internal clients to remote servers, if you desire. 

Other Networking Features 

The Symantec Firewall/VPN provides many other advanced networking features designed to 
ensure it can grow with your needs. 

Features 

Symantec Firewall/VPN 100 

The Symantec Fire wall/ VPN 100 model features include: 

• Four LAN ports with 10/100 autosense switch. 
One 10 Mbps WAN port. 

• No hard user limit but recommended for offices with up to 15 users. 

All the features previously listed in the Product Overview except for Load Balancing and 
remote VPN clients. 

Power supplies 
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• Traffic/connectivity and error lights 

• Serial port for auto-modem backup 

• DIP Switches - Used for disabling the DHCP Server, Resetting the unit, activating the 
Serial Console Interface and to configure the Symantec Firewall/VPN for firmware 
upgrades 

• LAN Link LEDs - 100BaseT, lOBaseT and Duplex LED link indicators for LAN port(s) 

• Power Indicator LED - Lights when the power switch is on and power is supplied to the 
unit 

• Error LED indicator 

• LAN/WAN Transmit/Receive - Lights when data is transferred between the WAN and 
LAN 

• Backup Active LED - Lights when the ISDN/ Analog backup feature is in progress (when 
broadband has dropped) 
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Figure 1-1: Symantec Firewall/VPN 100 front panel 




Figure 1-2: Symantec Firewall/VPN 100 back panel 
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Features 



Symantec Firewall/VPN 200 

The Symantec Firewall/VPN 200 model features include: 
Eight LAN ports. 
Two WAN ports. 

No hard user limit but recommended for offices with up to 30 users. 
All the features previously listed in the Product Overview. 
Power Indicator LED - Lights when the power is supplied to the unit. 
Error LED indicator. 

LAN/WAN Transmit/Receive - Lights when data is transferred between the WAN and 
LAN. 

Backup Active LED - Lights when the ISDN / Analog backup feature is in progress (when 
broadband has dropped). 
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Figure 1-3: Symantec Firewall/VPN 200 front panel 




Figure 1-4: Symantec Firewall/VPN 200 back panel 

Symantec Firewall/VPN 200R 

The Symantec Firewall/VPN 200R has all the features of the 200 model and also comes with the 
Symantec Enterprise VPN Client software with integrated personal firewall feature. 
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Symantec Firewall/VPN international symbols 



Table 1-1: Symantec Firewall/VPN international symbols 



Symbol 


Meaning 


J 

7 


Power Indicator LED 




Error Indicator LED 




LAN/WAN 

iransmir/rveceive llli 




Backup Active LED 




Modem (WAN) Link LED 




WAN Port 




LAN Ports 


<-__> 


Full Duplex 
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Features 



Symbol 


Meaning 


-0- 


Power Supply 


o 


Reset 


1 

1 


On 


o 


Off 




DIP Switch 


^^^^^^^^^^^^^^^^^^^ 


Serial Port 



Management/Configuration interface 



The Symantec Firewall/VPN has a web browser-based user interface that provides screens for 
creating configurations, viewing status, and accessing logs. The Symantec Firewall/VPN 200 user 
interface has duplicate Setup fields for both WAN ports on the Main Setup screen as well as other 
interface screens. This management interface can be secured using the available VPN feature. 
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^ Symantec. 

General 

• Main Setup 

• Static IP & DNS 

• Status 

• View Log 

• LAN IP & DHCP 

• Config Password 
VPN 

• Static Key 

• Dynamic Key 

• Client Identity 
Advanced 

• Host IP & Group 

• Access Filters 

• Special Applications 

• Virtual Servers 

• Custom Virtual Servers 

• Exposed Host (DMZ) 

• Advanced PPPoE 

• Dynamic DNS 

• Routing 

• Backup/Analog/ISDN 

• Log Settings 

• Expert Level 



Symantec Firewall/VPN" 



Main Setup 



Connection Status: 



Obtain IP & DNS Automatically Unless static IP is set 

Enabled C Note: For DHCP Connections 

PPPoE Enable only for use with PPPoE connections 
Enabled C 
User Name | 
Password | 

Optional Network Settings... 

Host Name | 



Verify f 



Domain Narne[| 

Network Adapter r 
(MAC) Address' 



Note: Dont change unless needed by your ISP 



Save | 



Cancel Refresh 



Figure 1-5: Example of the user interface for Symantec Firewall/VPN 100 
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CHAPTER 

Installation 



Prerequisites 

The Symantec Firewall/VPN package contains the following: 

• The Symantec Firewall/VPN unit 

• A 2 m (6.5 ft) CAT5 grade Ethernet cable 

• CD with User Manual, utilities and Symantec Enterprise VPN Client (200R only) 
9v DC 1000 mA power adapter 

Quick Start Card 

Network requirements 

You will need the following to use the Symantec Firewall/VPN : 

• A cable or DSL Internet account (or other network connection) 

• A cable or DSL modem (or other network device) with an RJ45 (Ethernet) lOBaseT 
compatible connection 

This is usually available from your ISP upon request. 

• An Ethernet lOBaseT or 100BaseT compatible network card on computer(s) you want to 
connect to the Firewall/VPN 




Installation 



• A standard Web Browser 

• TCP/IP Network Protocol 

This is usually already installed in your computer and is a part of all modern operating 
systems. 

• UTP (CAT5 grade) cabling with RJ45 connector to connect computers to the Symantec 
Firewall/VPN (1 cable included) 

Cautions and warnings 

• Follow all warnings, notes, and instructions marked on the Symantec Firewall/VPN. 

• To protect the unit from overheating, make sure it is not blocked or covered. 

• Do not use or store the Symantec Firewall/VPN in an environment that exceeds 
temperature and humidity specifications. 

• Do not place the Symantec Firewall/VPN near a radiator or heat register, or in a built-in 
installation unless adequate ventilation is provided. 

• Before cleaning the Symantec Firewall/VPN, unplug it from wall outlet. Do not use liquid 
cleaners or aerosol cleaners. Use a damp cloth for cleaning. 

• Do not place cords or cables where they may be walked on or tripped over. 

• Be sure to comply with any applicable local safety standards or regulations. 

• General-purpose cables are provided with the Symantec Firewall/VPN. Any cables or 
other requirements mandated by local authority are your responsibility. 

• Cables that are attached to devices in different locations that have different power sources 
and grounding may have hazardous voltage potentials. Consult a qualified electrical 
consultant before installing the Symantec Firewall/VPN to see if this phenomenon exists 
and, if necessary, take corrective action. 

• Never touch annunciated telephone wires or terminals unless the line has been 
disconnected. 

• Avoid using telephone equipment or installing the Symantec Firewall/VPN during an 
electrical storm. 

• Never install telephone jacks, lines, network cables, the Symantec Firewall/VPN, or 
power connections in wet locations. 
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• Never spill liquid of any kind on the Symantec Firewall/VPN. 

Internet account information 

You must determine what type of Internet connection you have in order to proceed with the 
installation. For the purposes of this manual, it should be one of three different types: 

PPPoE Internet account - Most large DSL ISPs have adopted this method. If you have "Dial Up" 
software on your computer to access your account, then you most likely have a PPPoE account. 

• You will need your User Name and Password before installing the Firewall/VPN 

• Disable (or uninstall) the PPPoE "Dial-Up" Software 
Dynamic IP DHCP Internet account - Most Cable ISPs, some DSL. 

• Sometimes no information is required; just connecting the Symantec Firewall/VPN and 
rebooting your computer will get you connected. 

• The MAC (Network Adapter) address of your Ethernet card might be needed if used by 
your ISP. See below for instructions on how to obtain it. 

• The Host Name or Domain Name on your computer might be needed if it is a coded name 
given to you by your ISP. 

Static IP Internet account (or network connection). 

• You will need your IP Address, Network Mask, Gateway, and DNS 

Some ISPs (usually cable) have abbreviated names for your e-mail servers and Web home page. 
This is the case if your Internet home page is a very short name, like "www" or "web" rather than 
www.symantec.com, or your e-mail server's name is something like "pop3" or "mail" instead of 
mail.symantec.com 

You MUST obtain the actual server names (Internet names) in order to access the Web and e-mail 
when using the Symantec Firewall/VPN. You can obtain this information from your ISP. 

Connecting the cables 

It is strongly recommended that you install your Symantec Firewall/VPN with only one computer 
directly connected to it at first. This will greatly simplify any troubleshooting during installation. 
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Installation 



After the install is successful with a single computer, you can then add additional computers and/or 
hubs to the Symantec Firewall/VPN. The following installation assumes this simple network setup. 



(^Symantec. 
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Modem (WAN) 
lOBaseT Ports 



LAN Ports 



LAN Link LEDs 



Figure 2-1: Symantec Firewall/VPN 200 front panel 




9v DC 
Power Input 



Power Switch 



Figure 2-2: Symantec Firewall/VPN 200 back panel 

To connect the cables 



Insert the 9v DC 1000 mA power adapter that was included with the Symantec Firewall/ 
VPN and plug it into an electrical outlet. Make sure to ONLY use the adapter that came 
with the unit. 

Remove the cable that came with your modem from your computer (if applicable) and 
insert the free end into the modem (WAN) port of the Symantec Firewall/VPN. You 
should see the WAN link light illuminate green. If not, check that you are using the same 
cable that came with the modem. 

For the Symantec Firewall/VPN 200: Repeat this step for each additional modem port 
with a separate modem or connection (you can mix cable, DSL, or routed connections on 
the two modem ports). 
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Configuring your computer 



3. You should see a green link light on the corresponding LAN LED. If not, confirm that 
your computer is powered on and your Ethernet card is functioning properly. This is true 
for every connection you make to the Symantec Firewall/ VPN. Always check for a 
corresponding green link LED. 

Configuring your computer 

Configuring your computer involves setting up your computer to automatically accept the IP 
addressing from the Symantec Firewall/VPN's DHCP Server. This forms an internal network 
(LAN), separate from the outside, with its own private IP addressing scheme. Configuration 
procedures may vary depending on the operating system of your computer. The following is for 
Windows NT only. 

Follow the procedures below for each additional computer you connect to the Symantec Firewall/ 
VPN. 

1 . Click Start > Settings > Control Panel. 

2. Open Network then select TCP/IP (if there is more than one TCP/IP, pick the one bound 
to your Ethernet card). 

3. Click Properties. 

4. Verify that Obtain an IP address automatically is selected. 

5. Click the Gateway tab. 

6. Confirm that there are no entries. 

7. Click the DNS Configuration tab 

8. Confirm that DNS disabled is selected. 

9. If there are entries under any of these tabs, make a note of them before clearing, as they 
may have to be entered into the Symantec Firewall/VPN. 

10. Reboot your computer. 
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Configuration 



Management / Configuration interface 



The Symantec Firewall/VPN has a Web-based configuration interface. Use any standard web 
browser running on your computer to configure settings on the Symantec Firewall/VPN. The Main 
Menu of the Management / Configuration is located on the left side of the screen at all times. 

The Symantec Firewall/VPN 100 and 200 have slightly different interfaces because the 200 has two 
WAN (modem) ports and each WAN port can have different configurations. The 100 has one WAN 
(modem) port. 

To start the User interface 

1 . Start your browser. 

2. If you have proxy settings on your browser, clear them now. 

If you do not know how to clear proxy settings see the instructions that follow. 

3. Type http://192. 168.0. 1 into the address bar of your browser. 

4. Press the Enter key on your keyboard. 

5. The Symantec Firewall/VPN Main Setup screen displays, as shown in Figure 3-1 on 



page 3-3. 



Configuration 

To clear Proxy settings on your Internet Explorer Browser 

1 . Choose Tools > Internet Options. 

2. Click the Connections tab. 

3. Click LAN Settings. 

4. Remove all checks from all the boxes and click OK. 

5. Click Never Dial a Connection. 

6. Click OK. 

To slear Proxy settings on your Netscape Browser 

1. Choose Edit>Preferences . 

2. Click Advanced. 

3. Click Proxies. 

4. Click Direct Connection to the Internet. 

Basic configuration 

The following sections provide an overview of the basic tasks for configuring your Symantec 
Firewall/VPN. Each screen in the user interface has a separate section that describes its functions. 

Use the Main Setup screen to set your initial connection, or modify your connection parameters at 
any time. 

Language Selection screen 

The first screen displayed after installation is the Language Selection screen. It is only displayed 
once. You can choose one of the available languages for the user interface by checking the check 
box next to the language. If you want to change languages later, go the the Expert Level screen 
where these language options are also available. 
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Main Setup Screen 



Main Setup Screen 



^ Symantec. 

General 

• Main Setup 

• Static IP & DNS 

• Status 

• View Log 

• LAN IP & DHCP 

• Config Password 
VPN 

• Static Key 

• Dynamic Key 

• Client Identity 
Advanced 

• Host IP & Group 

• Access Filters 

• Special Applications 

• Virtual Servers 

• Custom Virtual Servers 

• Exposed Host (DMZ) 

• Advanced PPPoE 

• Dynamic DNS 

• Routing 

• Backup/Analog/ISDN 

• Log Settings 

• Expert Level 



Main Setup 
WAN (Modem) Portl 



Connection Status: 



Mode <• Normal <~ Off <~ Backup 
Note: Set to "Off" if not connected! 

Obtain IP & DNS Automatically 

Unless Static iP is set 
Enabled C Note: For DHCP Connections 
Alive 

Indicatorl 1 

Site IP or' — 
URL 



PPPoE Enable only for use with PPPoE 
connections 
Enabled C 



User 



Name 1 

Password |~ 

Verify r 
Password ' 



Symantec Firewall/VPN' 



WAN (Modem) Port 2 



Connection Status: 



Mode C Normal <• Off <~ Backup 
Note: Set to "Off" if not connected! 

Obtain IP & DNS Automatically 

Unless Static IP is set 
Enabled C Note: For DHCP Connections 
Alive 

Indicatorl 

Site IP or' 
URL 



PPPoE Enable only for use with PPPoE 
connections 
Enabled C 



User 



Name 1 

Password |~ 

Verify r 
Password ' 



Optional Network Settings.. 



with Nexland® technology 



Host 
Name 
Domain 



Optional Network Settings.. 



*a r r~r~r~r— r~ r~ 

Address 



Host 
Name 



Domain r 



Network 
Adapter! I [ 

(MAC) I II — 



Save Cancel Refresh 



Figure 3-1: Firewall/VPN200 Symantec Main Setup screen 

The Main Setup screen is the first screen you see when you browse to the Symantec Firewall/VPN. 
It contains the basic settings fields needed to get you up and running on the Internet. This screen is 
used to configure both WAN Port 1 and WAN Port 2. 
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The Connection Status section at the top of the screen indicates whether you are: Connected, 
Connecting (when dialing PPPoE) or Disconnected. 

To configure using the Symantec Firewall/VPN 200 Main Setup screen 

1. If the Main Setup screen is not displayed, click Main Setup on the Main Menu. The 
Main Menu as always displayed on the left side of the User Interface. 

2. Do one of the following: 

• If you are using an ISP account whose IP address is provided automatically by a 
DHCP server, click on the Enable radio button in the Obtain IP & DNS 
Automatically section. 

This radio button is enabled by default and applies to most Cable accounts. It should 
connect you immediately (Connection Status mode Normal) if you have such an 
account. If it does not, click the Reset button on the Firewall/VPN. 

If you still do not connect, you may need to change the Network Adapter (MAC) 
address. For more information see Required by Optional Network Settings section on 
page 3-5. 

If you have a Static IP Internet account or are using the Symantec Firewall/VPN 
internally or on another network, leave this setting Enabled. Then enter the Static IP 
information using the Static IP & DNS screen, as described in Static IP and DNS on 
page 3- 7. 

• If you have a PPPoE Internet Account, click the Enable radio button in the PPPoE 
section. 

You are likely to be using PPPoE if you previously used dial-up software on your 
computer with a username and password to establish your connection through a DSL 
modem. The Symantec Firewall/VPN will dial for you, so you should disable or 
uninstall the dail-up software. 

You must also: 

a. Enter the user name given to you by the ISP. 

b. Enter and verify the password given to you by the ISP. 

You should connect in a moment. You might have to reboot your computer to update its 
IP information to access the Internet. If you have trouble, verify that your PPPoE user 
name and password are correct. 



3-4 



Main Setup Screen 



Required by Optional Network Settings section 

Some ISPs require additional information for authentication. If you have trouble connecting, you 
can enter that information in the Required by Some Service Providers section of the Main Setup 
screen . 

To configure the Optional Network Settings fields 

1 . In the Host Name field, enter the same host name from your computer. 

You must enter the host name retrieved from the computer connected to the Internet 
service. 

Note: The host and domain names are case sensitive. 

2. In the Domain Name field, enter the same domain name from the computer that was 
previously connected to the Internet. @Home customers should enter their full @Home e- 
mail address to access their e-mail server Domain Name field. 

3. Enter your Network Adapter Address (MAC) in the Network Adapter Address (MAC) 
fields. 

Some ISPs authenticate on the adapter (MAC) address of your Ethernet card to confirm 
who you are. The Symantec Fire wall/ VPN might have to mimic your computer by 
adapter address to connect to your ISP. You must enter the MAC address retrieved from 
the computer connected to the Internet service. 

4. Click Save after entering all information. 

To configure for cable modem using DHCP 

You may already be connected. The Connection Status is on the top of the Main Setup Screen. If 
it displays "Connected. .," you should be able to browse the Web. 

If you have a cable modem account and the Connection Status displays Disconnected. . . 

1. Click Main Setup. 

2. Go to the Optional Network Settings section of the screen. 

3. Enter your network adapter (MAC) or ISP supplied host name or domain name. 
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Configuration 



4. Enter the MAC (see below) or Host/Domain Name in the appropriate fields. 
Note: The host and domain names are case sensitive. 

5. Click Save. The Symantec Firewall/VPN restarts and attempts to connect to the Internet. 

6. Wait a moment, then click Back to the Main Setup page. 

7. Click Refresh in your browser. The Symantec Firewall/VPN should display Connected in 
the Connection Status field. 

If it doesn't, try refreshing again in a moment or consult the Chapter 9 - Troubleshooting. 

To configure for DSL or cable modem using PPPoE 

You will need your User Name and Password in order to precede. 

1 . Open the Main Setup screen. 

2. Click the Enabled radio button below the PPPoE header. 

3. In the User Name field, enter your PPPoE (Dial-Up) user name exactly as given by your 
ISP. 

Note: Some ISPs use the domain in the username when logging on (for example 
"john@gte.net") and some just use the userlD (for example "john"). 

4. In the Password field, re-enter your PPPoE password. 

5. In the Verify field, enter your PPPoE password again. 

This makes sure there are no typos, because the password is hidden. 

6. Click Save. 

7. Wait a moment, then click Back to the Main Setup. 

8. Refresh on your browser. 

You should see Connected or Connecting in the Connection Status field. If you do not, 
try refreshing again in a moment or consult the Chapter 9 - Troubleshooting. 
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Static IP and DNS 



If you have a Static IP account from your ISP or are using the Symantec Firewall/VPN behind 
another gateway device, enter the network information on the Static IP and DNS screen. This 
screen is similar to a computer's Network Properties screen. 



Static IP & DNS 



WAN 1 IP (Not for use with PPPoE or dynamic IP accounts) 



ii — i n ii r 

IP Address ., J 

i 1 - ' 1 - ' 1 - ' 1 if non-zero 



Network Mask | ■ l~ Zl ■ IZ l~~ 
Default Gateway |~~ |~~ |~~ |~~ 



WAN 2 IP (Not for use with PPPoE or dynamic IP accounts) 



IP Address I 1 I 1 I 1 I '' Note: Status will always show connected 

' 1 ' ' 1 ' ' 1 ' ' if non-zero 

Network Mask | |~ ~~ |~ ~| . | 

Default Gateway (" |~~ |~~ |~~ 



Domain Name Servers Optional on dynamic IP accounts and PPPoE 



dns 1 p r~ r 



r 



DNS2| ,| ,| I"" 
DNS3| ,| ,| T 



DNS Gateway Optional DNS Sewer IP for Local/Remote Name Resolution over LAN or VPN 



DNS Gateway IP | \~ \~ 

Use ISP or Static DNS _ ,_ , , _ „. , , 
as Backup C Enable 6 Dlsable 

Save | Cancel | Restore Defaults 



All DNS requests will be forwarded to this 
IP 

When Enabled: If VPN or Local DNS 
Gateway is down, DNS requests are 
fowarded to ISP or Static DNS IPs 



Figure 3-2: Symantec Firewall/VPN 200 Static IP & DNS screen 
To configure Static IP & DNS 

Complete the information on the Static IP & DNS screen as follows: 

1. Under the WAN IP section, in the IP Address field enter the IP address of the external 
(WAN) side of the Firewall/VPN. 



2. In the Network Mask field enter the network mask. 
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This mask determines where packets are sent (internal or external). Custom ISP accounts 
might require a change; otherwise leave it at its default of 255.255.255.0 (Class "C" 
network). 

3. In the Default Gateway field enter the default gateway. 

Symantec Firewall/VPN sends any packet it does not know to route to the default 
gateway. 

4. In the Domain Name Servers field enter up to three Domain Name Servers. 

Domain Name Servers are needed for Static accounts. Entries are not needed for standard 
(dynamic) Internet accounts, or accounts where a DHCP server gives out the information. 
You can override and enter your own settings for any Internet account. 

5. Click Save after entering all information. 

DNS Gateway section 

The DNS Gateway is an optional DNS Server providing local and remote name resolution over 
VPNs. All DNS requests will be forwarded to the IP address you enter in the DNS Gateway IP 
field. If the internal DNS server is down, the unit can be configured to forward all DNS requests to 
the ISP's DNS servers. 
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Status 

The Status screen displays the current status and configuration of the Firewall/VPN. 
Status 



|WAN 1 (External Port) 1 


Connection Status 


Network Mask 


IP Address 


Physical Address 


Gateway 


DHCP Client 


DNS IP Address(es) 




|WAN 2 i E i*n, il Pern 1 


Connection Status 


Network Mask 


IP Address 


Physical Address 


Gateway 


DHCP Client 


DNS IP Address(es) 




LAN (Internal Ports) 1 


IP Address 


Physical Address 


Network Mask 


DHCP Server 


1 Device 1 


Firmware Version 


Exposed Computer 


Special Applications 


Network Address 


Translation 


Virtual Servers 


Hardware ID 


Refresh Screen j 






Figure 3-3: Status screen 



Physical Address is the MAC address of the Firewall/VPN, both LAN and WAN. 

If you have trouble accessing the Internet, confirm that you have a WAN IP address. If you do, 
there might be a DNS or other problem at your ISP. In any case, have this screen handy when 
calling Symantec Support. 

LAN IP and DHCP 



Caution: DO NOT change these settings unless needed by your network. If you do you 
may lose connectivity with the Firewall/VPN, requiring a manual reset to 
defaults. 
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LAN IP & DHCP 



UNIT LAN IP 


IP Address 











Network Mask 



DHCP 



DHCP Server C Enable <~ Disable 
Range Start IP| . ] . 
Range End IP| . | . 

Save Cancel 



DHCP Table 



Host Name IP Address Physical Address Status 

Figure 3-4: LAN IP and DHCP screen 

UNIT LAN IP 

The Unit LAN IP is the IP Address of the Symantec Firewall/VPN on your LAN (your hosts see it 
as their default Gateway). 

Caution: If you change this and click Save, YOU WILL NOT BE ABLE TO ACCESS 
THE SYMANTEC FIREWALL/VPN UNLESS YOU REBOOT (release and 
renew your host IP) because the unit's IP address, network mask, and default 
gateway have just changed. 



The combination of the IP address and network mask determines the destination subnet for the 
packets. This information is required for properly routing packets through and IP network. 
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Custom ISP accounts might require a change; otherwise leave it at its default of 255.255.255.0 
(Class C network). 

DHCP 

The DHCP server in the Firewall/VPN, enabled by default, serves IP addresses and DNS 
information to up to 253 computers connected to it. For this to work, your computers must be set to 
"Obtain IP Automatically" or "Obtain from DHCP Server" in the control panel (see Configuring 
your computer on page 2-5 for more information). 

The Symantec Firewall/VPN always assigns an IP address for the DNS server (192.168.0.1 by 
default) unless static DNSs are set. This is normal, as the Symantec Firewall/VPN will take care of 
DNS requests sent to the ISP. 

You can disable the DHCP server in the Firewall/VPN. This is useful if you already have a DHCP 
server on your network or if the computers on your LAN have Static IPs entered into their network 
properties. For example, if you have a web server on your site, you will want to assign it a static 
address. 

The DHCP Range shows the range of IP addresses you want given out by the DHCP server. 
The DHCP Table lists all the hosts in the Firewall/VPN's DHCP server and their properties. 
If you make any changes, click Save after entering all information. 

Config Password 

This password protects the Symantec Firewall/VPN's Web interface by asking for authentication 
when accessing the unit. It is recommended that you set a password when working in an office 
environment to prevent possible reconfiguration. You should always have a password when 
enabling remote configuration (see the Expert Level screen). In addition, Symantec recommends 
that the unit should be externally remotely managed through a VPN Tunnel. 
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Password 




© 


pnterface Authentication 


User Name is always: admin 


1 


Password |~ 


Verify f 





Save | Cancel | 

Figure 3-5: Config Password screen 
Note: The User Name is always admin when logging into the Firewall/VPN. 

To configure a password 

1 . Enter the password. 

2. Re-enter the password to verify. 

3. Click Save. 

If you forget your password, you will have to perform a manual reset (see Chapter 9 - Trouble 
Shooting) or reset the unit through the serial console. Re-flashing the firmware will not reset the 
password! 



3-12 



CHAPTER 




Advanced Configuration 

Advanced PPPoE 

Most users will not need to access this page since the default settings of the Symantec Firewall/VPN 
are optimal for most situations and will make PPPoE accounts behave transparently. 



Advanced Configuration 



Advanced PPPoE 



AN Port & Session 



a^j j— Note: Leave on Session 1 

p or t | WAN 1 ~H PPPoE Session | Session 1 T | unless you have a multi- 
session PPPoE account 



Update Fields Below 



ession Connection 



Connect on Demand W Enable 
Idle Time Out 



0 Minutes 









- 





ChOOSe Service Only for ISPs that have additional PPPoE services 


Select Service 


Query Services 




Authentication 





User Name 
Password 



Verify 



Save All | Cancel | Clear Log 



anually Connect or Disconnect Your PPPoE Account 



Connect Disconnect 



Figure 4-1: Advanced PPPoE screen 
To configure Advanced PPPoE 

Note: You must be DISCONNECTED in order to use this feature. 
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1 . Select the WAN Port from the WAN Port drop down list. 

2. If you have a multi-session PPPoE account select the appropriate session from the PPPoE 
Session drop down list. 

Repeat the following steps for each PPPoE session. 

If you have a single session PPPoE account, leave the PPPoE session at Session 1. 

3. Click Update Fields. 

4. Use the Connections section to specify whether you connect or disconnect your PPPoE 
account manually or automatically. 

a. The Connect on Demand is enabled by default, which means the Symantec Firewall/ 
VPN will connect automatically when an Internet request is made (like browsing a 
web site). If you want to connect manually, disable the check box and connect by 
clicking Connect. 

b. In the Idle Time Out, field enter the number of minutes of inactivity after which you 
want the Symantec Firewall/VPN to disconnect the PPPoE connection. 

c. Enter 0 to keep the connection always on and to prevent the Symantec Firewall/VPN 
from ever hanging up. If the value is more than 0, enable Connect on Demand to 
redial automatically when needed. 

d. If you have a Static IP PPPoE Internet account, enter the IP address in the Static IP 
Address field, otherwise leave the value at zero. 

Note: This is for PPPoE only! 

5. If your ISP has different services available for your PPPoE account, use the Choose 
Services section to access them. 

a. Click Query Services. 

b. Select the service from the drop down list, then connect as normal. 

6. Enter your User Name. 

7. Enter your Password. 

8. Verify your Password. 

9. Click Save All to process the screen. 
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The log file located in View Log screen provides useful information about your PPPoE connection 
if you have any trouble connecting to your ISP. 

Dynamic DNS Service 

Dynamic DNS Service is a way for people outside to connect to your computers using a domain 
name, even when you have a dynamic IP account from your ISP (your IP address changes from 
time to time). If you setup a Virtual Web Server, people will always be able to access it by entering 
your domain name for example, www.mydyndns.com. 
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Dynamic DNS Service 
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WAN Port 
User Name 
Password 
Server 
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Verify [ 
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Backup MX |~ 
Mail Exchanger 



Force DNS Update 



Note: Do not use unless required, the service will be 



automatically updated only when needed. 



Save Cancel 



Figure 4-2: Dynamic DNS Service screen 

The Symantec Fire wall/ VPN contacts a Dynamic DNS service every time your IP changes and 
updates it automatically. The Dynamic DNS service then updates DNS servers throughout the 
world. Dynamic DNS services are available for pay and for free. The Dynamic DNS client in the 
Symantec Firewall/VPN is compatible with most standard services. 

To configure Dynamic DNS 

The information for the client fields in the following process should be obtained from your ISP. 
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1. Click Enable. 

2. Select your WAN Port from the WAN Port drop down list. 

3. Enter your Basic Settings. 

This is your account information. Enter exactly as given to you by the service. 

4. Click on Save. 

Optional Dynamic DNS settings 

These settings are not necessary for use, but are used for e-mail forwarding using your new domain 
and alternate domain names. The Force DNS Update button is there only for special circumstances. 
Normally, Dynamic DNS services do not like you manually updating your information unless your 
IP changes! 

To configure Optional settings 

1 . Click on Wildcards. 

2. Click on Backup MX. 

3. Enter Mail Exchanger. 

4. Click Save after entering all information. 

Routing 

When there is more than one router on a network, you must add routing settings on the Firewall/ 
VPN, to tell it what traffic goes to which router. The unit supports static routes or RIP2 (dynamic 
routing) protocol routing. When you specify routing, the Symantec Firewall/VPN can 
automatically forward the packet to the correct router. 
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Figure 4-3: Routing screen 

If RJP2 is not being used on the network, you must make entries in the static routing table through 
the Routing interface screen. 

Use the static routing table only when needed. If you make incorrect entries, you may lose your 
connection to the unit and have to preform a manual reset. 

Existing entries 

If you have previously made an entry to this screen and you want to update or delete it, you must 
first select it using Select Entry and then click Update Fields Below to access its settings. If you 
are adding a new entry, click Clear Form to start with a blank form. 
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Routing table data 

An entry in the routing table is required for each LAN segment on your network so that any other 
segment attached to this device can share data back and forth. The data in the Routing Table is as 
follows. 



Table 4-1 : Routing data 



DestinationIP 
Address 


The network address of the remote network segment. For standard class 
"C" networks, the network address is the first three fields of the 
Destination IP Address. The fourth (last) field can be left at 0. 


Subnet Mask 


The Subnet Mask used on the remote network segment. For class "C" 
networks, the standard Subnet Mask is 255.255.255.0. 


GatewayIP 
Address 


The IP Address of the router on the network segment to which this device 
is attached NOT the router on the remote network segment. Normally 
refered to as the next hop in the network. 


Interface 


Select the appropriate interface Internal (LAN) or External (WAN) from 
the drop-down list. Model 200 users have two External Interfaces to 
choose from. 


Metric 


The number of routers that must be traveled to reach the remote LAN 
segment. The default value is 1 . 



Other routers on the local LAN 



Other routers on the local network must use the Symantec Firewall/VPN's local router as the 
default route. The entries will be the same as the Symantec Firewall/VPN's local router, with the 
exception of the Gateway IP Address. 

For a router with a direct connection to the Symantec Firewall/VPN's local router, the Gateway IP 
Address is the address of the Symantec Firewall/VPN's local router. 

For routers that must forward packets to another router before reaching the Symantec Firewall/ 
VPN's local router, the Gateway IP Address is the address of the intermediate router. 
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Figure 4-4: Routes example 

For the LAN shown above, with two routers and three LAN segments, the Symantec Firewall/ 
VPN's Routing Table requires two entries as follows: 

Entry 1 (Segment 1) 

Destination IP Address 192.168.1.0 
Subnet Mask 255.255.255.0 
Gateway IP Address 192.168.0.100 
Metric 1 

Entry 2 (Segment 2) 

Destination IP Address 192.168.2.0 
Subnet Mask 255.255.255.0 
Gateway IP Address 192.168.0.100 
Metric 2 
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For Router A's Default Route 

Destination IP Address 0.0.0.0 
Subnet Mask 0.0.0.0 

Gateway IP Address 192.168.0.1 (Symantec Firewall/VPN's IP Address) 

For Router B's Default Route 

Destination IP Address 0.0.0.0 
Subnet Mask 0.0.0.0 

Gateway IP Address 192.168.1.30 (Symantec Firewall/VPN's local router) 

Host IP and Group 

This screen lets you assign Static IPs, define the access group (see Access Filters), and bind 
multiple PPPoE sessions to individual hosts on the LAN. Static IPs (reservations in the Symantec 
Firewall/VPN's DHCP table) should be assigned for all Virtual Servers, Laptops (to avoid IP 
conflicts when their cards sleep) and printers connected directly to the LAN. 

On the Symantec Firewall/VPN Model 200s you can bind a Host to a specific WAN port. This 
prevents the Host from using both WAN ports when dual Broadband connection binding is in 
effect. This is useful for servers or applications that must always be on a specific IP. The default is 
Disabled. 

Select Host: If you have previously made an entry to this screen and you want to Update or Delete 
it, you must first select it from the drop down list and then click Update Fields Below to access its 
settings. Otherwise, if adding a new entry, do not select from the menu or click Clear Form before 
adding a new entry. 
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Figure 4-5: Host IP and Group 
To configure Host IP and Group 

1 . In the Host Network Identity section, enter a Host Name. 

Give the host a short descriptive name. This can be the same as the Host Name in the 
computer's network properties, if you want. 

2. Enter the Network Adapter Address. 

The Symantec Firewall/VPN identifies the host by the adapter address of its Network 
Interface Card (NIC - usually an Ethernet Card). You must enter the address of the Host's 
NIC into this field. 
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3. In the Host Settings section, check the Reserve Entry In DHCP Table check box, to 
assign a Static local IP to the computer via the DHCP server on the Firewall/VPN. 

This means that the Symantec Firewall/VPN will automatically reserve the IP address 
below specifically for this host and will give this IP only to this host whenever it boots. 
You can leave the computer's network properties to Obtain IP Address Automatically, 
since the Symantec Firewall/VPN will ensure its IP always stays the same. 

4. In the Reserved IP field, enter the IP address you want for this computer. 

It must be on the same class network as the Symantec Firewall/VPN. If this is for a virtual 
server, ensure that the IP address matches the IP address you entered using the Virtual 
Server screen. (See Virtual Servers on page 4-1 7.) 

5. Select this host's group from the Access Group drop down list. 
The access groups are defined on the Access Filters screen. 

6. In the Bind with PPPoE Session drop down list, select the session to bind to this host . 

Use this only when multiple PPPoE sessions are defined. It requires a special ISP PPPoE 
account. 

7. Click Add to Add the new entry or: 

Click Delete to delete the entry shown and free up Symantec Firewall/VPN memory. 
Click Update if you have changed the entry shown. 
Click Clear Form before Adding a new entry. 



Access Filters 

Access Filters control the types of information allowed out of your LAN. For example, to allow 
the use of Real Audio on the LAN you can select its protocol here or select No Restrictions. Most 
standard protocols are predefined or you can define custom filters. There are five security groups 
that you can define so you can have different levels of access for different computers. 



4-12 



Access Filters 



Access Filters 
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Figure 4-6: Access Filters 



By default, all computers are part of the Everyone group and have no restrictions on Internet use. 
To define filters, first select the group, specify the use of packet filters, and then enter the filters for 
that group using this screen. 

To modify an entry you made previously, select it from the drop down menu and then click Update 
Fields Below to access it's settings. 

Note: You must BIND local hosts to the group they are in by using the Host IP & Group screen, 
as described in Host IP and Group on page 4-10. 
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To configure Access Filters 

Note: Always click Save after each group setting. 

1. Select a Security Group from the Select Group drop down list. 
Associate hosts with Security Groups using the Host IP & Group Screen. 

2 . Click Update Fields Below. 

3. In the Group Filter Setting section, click the Use Packet Filters Below radio button. 

This section defines the overall setting that applies to the selected group. You MUST 
choose Use Packet Filters Below in order to select filters. 

4. In the Quick Filters section, check the items you want to block. 

5. In the Custom Filters section, provide a short name and the Start and Finish ports used by 
the protocol. 

You must know the packet type (TCP or UDP) and ports used by the protocol you wish to 
block. If one port is used, enter the same number in both fields. Multiple protocols and 
ranges can be defined for very flexible access fdters for each group. 

6. Click Save after entering all information for a group. 



Special Applications 

Certain applications with two-way communication need ports opened up in the firewall in order to 
function. This is true of most games and video/teleconferencing software. Some popular titles are 
already predefined, but are disabled by default. You can enable them here or add new entries. To 
find out what ports and protocols your application needs for operation, it's best to consult the 
application's support section and search for Firewall or NAT usage. Some applications might need 
more than one entry defined and enabled, for example when they have multiple port ranges in use. 
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Figure 4-7: Special Applications screen 



To configure Special Applications 



1 . Under Existing Special Apps, select an entry from the drop down list. 

Some of the predefined Special Application entries are available from this menu (since 
they are all disabled by default, you must select, enable, and update the entry) plus any 
that you have added yourself. 



4-15 



Advanced Configuration 



If you have previously made an entry to this screen and you want to update or delete it, 
you must first select it from the drop down list and then click Update Fields Below to 
access it's settings. This is true for enabling predefined Special Applications. 

If you are adding a new entry, don't select from the menu or click Clear Form before 
adding new entry. 

2. Under Special Application Data, enter the name of the special application in the name 
field. 

Give your Special App any short descriptive name. 

3. Check or uncheck Enable to enable or disable your special application (disabling will 
close the ports defined below). 

Remember to click Update if using with an existing special application. 

4. From the Outgoing Protocol drop down list, choose either TCP or UDP as the protocol 
type for sending data (consult the application's support). 

5. In the Outgoing Port Range fields, enter the start and finish ports used by your application 
when it's sending data. If only one port is used, enter the same number in both fields. 

6. In the Incoming Protocol field, choose either TCP or UDP as the protocol type for 
receiving (consult the application's support). 

7. In the Incoming Port Range fields, enter the Start and Finish ports used by your 
Application when it's receiving data. 

If one port is used, enter the same number in both fields. 

8. Click Add to add a new entry. 

Click Delete to selete the entry shown and free up Symantec Firewall/VPN memory. 
Click Update if you have changed the entry shown. 
Click Clear Form before adding a new entry. 
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Virtual Servers 

Virtual Servers allow you to host any type of standard server (Web, FTP, DNS, Whols, POP3, 
Finger, SMTP, VPN, News, Gopher, and Telnet) using the Symantec Firewall/VPN. This lets you 
setup a Web server behind the firewall. External users connect to a domain assigned by the 
Dynamic DNS feature or the modem port IP address to access a virtual server. The Symantec 
Firewall/VPN automatically routes the traffic to the appropriate Host IP on the LAN. 

Types of Virtual Servers 

The Symantec Firewall/VPN supports two types of Virtual Servers: 

Pre-defined - Standard server types. The only data required is the IP Address of the server 
on your LAN. 

• Custom-defined - Non-standard servers. You must provide additional information about 
the server (TCP or UDP port numbers). This can be done in the Custom Virtual Server 
screen. 
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Virtual Servers 
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Figure 4-8: Virtual Servers screen 

To configure a Virtual Server 

1 . Using the Host IP & Group screen, setup a static local IP for your server (or on the server 
itself). 

Virtual Servers need a local host with a static IP address to operate effectively. 
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2. Check the Enable box next to the server type 

Enter that local host LAN IP address to activate a pre-defined virtual server. You can have 
different virtual servers directed to the same host. 

3. Click Save. 

Virtual Servers example - IP Address seen by Internet users 

The following diagram (Figure 4-9, on page 4-20 ) shows an example network where both Internet 
users are connecting to the same IP Address, but are using different protocols or port numbers. To 
Internet users, all virtual servers on your network have the same IP Address. This is the IP Address 
of the External WAN Port field displayed on your STATUS screen. The previous Virtual Servers 
screen ( Figure 4-8 on page 4-18 ) shows the configuration for this example. 

Exposed Host or DMZ is available for a single computer on the LAN. It exposes all ports on the 
specified host to the outside. For security, you should always keep this disabled until you need to 
use it. If you are having trouble with an application that uses the Internet, you can try this feature to 
troubleshoot. Creating a Special Application (see Special Applications on page 4-14 ) or Virtual 
Server (see Custom Virtual Server on page 4-20 ) may be helpful. You must choose a WAN port to 
expose the host. 
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Figure 4-9: Virtual Server network diagram example 

Custom Virtual Server 

This function defines a custom server accessible from the outside by the Firewall/VPN's external 
WAN IP address. The Symantec Firewall/VPN then redirects the request to an internal local IP 
address for the virtual server. You should first check the Virtual Server screen to make sure your 
server is not already predefined. 
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Figure 4-10: Custom Virtual Servers screen 

Existing Custom Virtual Servers 

If you have previously made an entry to this screen and you want to update or delete it, you must 
first select it from the Select Entry drop down list and then click Update Fields Below to access 
it's settings. If you are adding a new entry, do not select from the main menu or click Clear Form 
before adding new entry. 

To configure a Custom Virtual Server 

1 . Under Virtual Server Configuration, in the Name field enter any short descriptive name 
for your Custom Virtual Server. 
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2. Check or uncheck the Enable box to enable or disable your server. 
Remember to click Update Entery if using with an existing virtual server. 

3 . Enter your server LAN IP. 

Virtual Servers need a local host with a static IP address to operate effectively. Setup a 
static local IP for your server using the Host IP & Group screen (or on the server itself). 
Enter that IP here. 

4. Choose either TCP or UDP as the server protocol type. 

5. In the Port Ranges fields, enter the Start and Finish ports used by your server for both 
Internal and External. 

If only one port is used, enter the same number in both Start and Finish fields. Usually 
Internal and External should be the same, but you can Translate ports if different values 
are entered (for example: 2000-2500 internally can be translated to 3000-3500 externally). 

6. Click Add to add a new entry or one of the following: 

Click Delete to delete the entry shown and free up Symantec Firewall/VPN memory. 
Click Update if you have changed the entry shown. 
Click Clear Form before adding a new entry. 

Exposed Host (DMZ) 

This screen will let you define a custom server accessible from the outside by the Symantec 
Firewall/VPN 's external WAN IP address. The unit redirects all requests not explictily allowed by 
a virtual server rule to the exposed host. The Symantec Firewall/VPN then redirects the request to 
your internal local IP address for the virtual server. You should first check the Virtual Servers 
screen to make sure your server is not already predefined. For security reasons, make sure the 
exposed machine is "locked down" to prevent illegal access and compromise of the system. 
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Exposed Host 
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Figure 4-11: Exposed Host (DMZ) 
To configure an Exposed Host 

1. Enter the LAN IP address of the host PC you want to Expose. 

2. Select the WAN Port from the WAN Port drop down list. 

3. Select the session from the Session drop down list. 

4. Click the Enable radio button. 

5. Click Save. 



4-23 



Advanced Configuration 



Expert Level 

This screen provides advanced settings for the Symantec Firewall/VPN. Most users can safely 
ignore these settings because the defaults are optimal and the most secure. 

Symantec Firewall/VPN 200 features broadband connection binding with its dual Modem Ports. 
You can mix connection types on the ports (actually, for backup reasons, this is recommended). So 
you can bind a cable Internet connection and a DSL connection, or Static IP and SDSL, PPPoE and 
DHCP. 

The Symantec Firewall/VPN 200 will bind the bandwidth on your two connections by sending 
network packets to both WAN ports. If you want, you can bind hosts to a single WAN port. Any 
single download on the network will not be able to exceed the maximum bandwidth available on a 
single WAN but the overall effect of this binding is that the entire network experiences vastly 
improved performance. The more computers you have, the greater the performance increase you'll 
notice over a single Internet connection. 

If you make any changes to the Expert Level Screen, click Save. 

Clicking Restore Defaults returns the Symantec Firewall/VPN to factory settings. 
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Figure 4-12: Expert Level screen 
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Expert Level Connection fields 
Load Balance 

On the Symantec Firewall/VPN 200 or 200R you have the option of manually setting the Load 
Balance to use when using the Broadband Connection Binding feature. This setting determines 
what percentage of packets are sent to either WAN port. For slower connections, use a lower value 
on that WAN port for best performance. You only enter the WAN port 1 percentage; WAN port 2's 
percentage is calculated from that value. 

SMTP Bind 

If you have Internet accounts from two separate ISPs connected simultaneously, you might have to 
make sure that your e-mail (SMTP protocol) only transmits on the WAN connection associated 
with your e-mail server. Otherwise, the server might reject the e-mail being sent from a different 
domain. You can choose WAN1 or WAN2. "None" (no binding) is the default. 

Idle Renew DHCP 

If you are experiencing disconnects from a DHCP type Internet account after periods of inactivity, 
enter a value into this field (minutes) after which the Symantec Firewall/VPN will try to 
automatically renew the connection. You must experiment to find the best value, the higher the 
better. You can also Force Renew by clicking the button. 

MTU LAN PC 

The Symantec Firewall/VPN negotiates the MTU size from your ISP. You should leave this value 
unless for some reason the ISP is providing an MTU that's not optimal. MTU problems are 
evidenced by problems seeing certain websites, sending long e-mails, or extremely decreased 
performance. MTU can be set for each WAN port. 

Echo Request Timeout 

You should leave this setting unless told to change by Symantec support. 
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Expert Level - Advanced Features section fields 
Allow IDENT Port 

Port 113 (IDENT) normally contains the Host Name/Company Name information. By default the 
Symantec Firewall/VPN has all ports stealth. This makes your computer(s) invisible to those 
outside. Some servers (like a certain E-Mail or MIRC servers) use the IDENT port of the system 
accessing them. Enabling this setting makes Port 113 Closed, not Stealth (it is NOT Open). Only 
enable if you are having problems accessing a server. 

NAT Function 

Disabling NAT turns the Symantec Firewall/VPN into a bridge or pure router. This is useful if you 
already have a NAT device on your network and are using the Symantec Firewall/VPN as a PPPoE 
"dial-up" device only. You must have routing entries made on the routing table or be using RIP2 
for proper communication with NAT disabled. 

RIP V2 

Lets you enable RIP2 functionality of the unit. RIP2 is a dynamic routing protocol used to direct 
traffic over routed networks. 

Log Level 

Choosing Debug will give more detailed information in the status log that is useful for Symantec 
support. It also throws all WAN side packets into the LAN for easy port scanning. Keep this 
setting at user level unless needed as Debug mode can cause collisions under heavy traffic loads. 

IPsec Type 

IPsec pass through is implemented automatically by the Symantec Firewall/VPN. Keep at 2 SPI 
unless instructed by Symantec support. None lets you use your VPN client in Exposed Host 
(DMZ) mode if having problems connecting from behind the Symantec Firewall/VPN. 

Language 

You can choose one of the available languages for the user interface by checking the check box 
next to the language. 
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Expert Level - SNMP Trap Receiver section fields 

Sets the IPs to receive the trap alerts from the unit. 

Expert Level - Remote Access IP Range section fields 

The Symantec Firewall/VPN's web interface can be accessed remotely from a range of IP 
addresses. For security reasons, Symantec recommends that all external remote management be 
done through a VPN tunnel. When using a VPN tunnel, simply point your growser to the internal 
IP address of the Symantec Firewall/VPN. 

To remotely configure the unit, enter the start and end IP range (enter the same value for both if it's 
a single IP). You can then access the unit from an external web browser by entering the WAN port 
IP followed by port 8088. 

For example: type "http://207.158.227.235:8088" into your external browser if 207.158.227.235 
was the address obtained from your ISP by the Symantec Firewall/VPN. You must be accessing 
from the IP range specified. Also, you should set the Configuration Password for security. 

Allow Remote Upgrade 

You can Enable Allow Remote Upgrade if you wish to remotely perform TFTP upgrades to the 
unit's firmware from the above IP range. The default is Disabled. 
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Configuring Virtual Private 
Networks (VPN) 



This chapter describes the procedures for configuring VPN tunnels using VPN - Static Key, VPN - 
Dynamic Key and VPN - Client Identity features of the Symantec Firewall/VPN User Interface. It 
also provides a brief overview of VPNs, encryption and authentication. 

Virtual Private Networks allow companies to safely use unsecure communication channels to 
transport sensitive data. The most widely used VPN technology in the industry is based on the IPSec 
(IP Security) standards. IPSec is a suite of standards approved by the IETF (Internet Engineering 
Task Force) organization. The IPSec suite introduces security protocols that provide data integrity 
and data confidentiality through encryption. Data integrity ensures that the data has not been 
modified in transfer. It guarantees the receiver that the data it receives is exactly what was sent by 
the sender. Data confidentially ensures that sensitive data can not be read by a third-party; clear text 
is scrambled with an encryption key or multiple encryption keys, and can only be unscrambled with 
the agreed upon secret key. 

In addition to these basic services, IPSec includes a variety of mechanisms that provide 
authentication, protection from replay attacks, and protection from denial-of-service attacks. 
Together all these services provide the infrastructure that allows a company to use an insecure 
medium such as the Internet to safely transfer sensitive information. 

The Symantec Firewall/VPN supports two types of VPN models; gateway-to-gateway, and client- 
to-gateway (200R only). Gateway-to-gateway tunnels protect entire subnets. For example, they can 
be used to connect branch offices to the central office over the Internet, thus eliminating costly 
leased lines. 




Using the Symantec Firewall/VPN 200R, client-to-gateway VPN tunnels allow telecommuters or 
remote users to safely connect over the Internet to the office. This model minimizes costs 
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associated with modem pools and costly 800 dial-up charges, as employees can use ISPs with local 
dial-up numbers to transparently connect to the office. 

The Symantec Firewall/VPN offers the following IPsec Encryption types: 



AH MD5 


ESP 3DES 


AH SHA1 


ESP 3DES MD5 


ESP DES 


ESP 3DES SHA1 


ESP DES MD5 


ESP MD5 


ESP DES SHA1 


ESP SHA1 



Table 5-1 : IPSec Encryption types 

The Symantec Firewall/VPN offers two types of VPN tunnels; Static Key and Dynamic Key. 

• VPN - Static Key tunnel - A user manually enters an authentication key (long string of 
numbers and letters) as well as an encryption key (another string used for the encryption 
algorithm) if encryption is used. The keys must match on both sides of the VPN. Also an 
SPI (Security Parameter Index) is manually entered and included with every packet 
transmitted between gateways. The SPI is a unique identifier to the gateway that identifies 
what set of keys belong to what packet. 

• VPN - Dynamic Key tunnel - IKE (Internal Key Exchange) automatically generates 
authentication and encryption keys. Typically, a long password (called a "shared secret") 
is entered. The gateway needs to recognize this "password" for authentication to succeed. 
If the shared secret matches then SPIs, authentication, and encryption keys are 
automatically generated and the tunnel is created. The gateway usually "re-keys" 
(generates a new key) automatically at set intervals to ensure the integrity of the key. 
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To configure a VPN using Static Key 



VPN Static Key 



IPSec Security Association 



Select Security I — f ._. , „ , . 

Assnniatinn I -^-1 Select onii/ if updating or Deleting existing configuration 

| Select SA above first unless Adding 



Name 

PPPoE Session 
Incoming SPI 
Outgoing SPI 

Encryption and 
Authentication Method 

Encryption Key 



Update Fields Below 


1 





(* Enable C Disable 

Session 1 Select PPPoE session to bind VPN tunnel 



AH MD5 



3 



Authentication Key 




Remote Security Gateway 


Gateway Address 







NetBIOS Broadcast C Enable C Disable 

Global Tunnel C Enable (• Disable 
Remote Subnet 1 |p ] Mask 

Remote Subnet 2 |p Mask 
Remote Subnet 3 |p Mask 
Remote Subnet 4 |p Mask 
Remote Subnet 5 |P ^ Mask f 



Add 


Delete | 


Update Entry 


Clear Form 


Cancel | 



Figure 5-1 : VPN - Static Key screen 
1 . From the Main Menu, select VPN - Static Key . 
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2. In the Name field, enter a descriptive name for the Security Association. 
The Security Association Name must be between 1 and 15 characters long. 

3. Click the Enable radio button. 

4. From the WAN drop down list, select a WAN port . 

5. From the PPPoE Session drop down list, select the Session number. 
Use Session 1 if you only have one session available from your ISP. 

6. In the Incoming SPI field, enter your Incoming Security Parameter Index (SPI). 

The Security Parameter Index (SPI) is a hexidecimal number (0-9, a-f, A-F) or a decimal 
number. Use OX as a prefix for hex numbers. 

7. In the Outgoing SPI field, enter your Outgoing Security Parameter Index (SPI). 

The Security Parameter Index (SPI) is a hexidecimal number (0-9, a-f, A-F) or a decimal 
number. Use OX as a prefix for hex numbers. 

8. Form the Encryption Method drop down list, select an Encryption Method. 

9. In the Encryption Key field, enter your Encryption Key. 

The Encryption Key is a minimum of 8 characters or 16 hex numbers for DES and 24 
characters or 48 Hex numbers for 3 DES. 

10. In the Authentication Key field, enter your Authentication Key. 

The Authentication Key is a minimum of 16 characters or 32 hex numbers for MD5 and 
20 characters or 40 hex numbers for SHA1. 

11. In the Gateway Address field, enter the Gateway Address of the Destination Network. 

The format for the Gateway Address is a minimum of seven digits ( x.x.x.x) and a 
maximum of fifteen digits (xxx.xxx.xxx.xxx). For the VPN client, set to 0.0.0.0. You can 
also use a DNS name in the Gateway Address field. 

12. Click the Enable NetBIOS Broadcast radio button to forward Netbios broadcast packets. 
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Set to Enable to support Network Neighborhood on Windows through a VPN tunnel. 

13. In the Remote Subnet 1 field, enter the IP address of your Destination Network. 

14. In the Mask field, enter the Subnet Mask of your Destination Network. 

The format for the Destination Network Mask field is a minimum of seven digits 
( x.x.x.x) and a maximum of fifteen digits (xxx.xxx.xxx.xxx). 

If you have more than one Remote Network repeat the previous two steps for each 
additional Destination Network. 

15. Click Add to save your VPN Static Key information and create your Static VPN tunnel. 

To update a VPN configuration using Static Key 

1 . From the Main Menu Select VPN - Static Key. 

2. From the Security Association drop down list, select a Security Association Name to view 
information about that Security Association. 

3. Click on Update Fields Below. 

4. Enter all new or changed information. 

5. Click Update Entry button to save your changes and update the VPN. 

To delete a VPN configuration using Static Key 

1 . From the Main Menu Select VPN - Static Key . 

2. From the Security Association drop down list, select a Security Association Name to view 
information about that Security Association. 

3. Click Delete to delete the VPN. 
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Static tunnel example 

The following example consists of a network diagram of a gateway-to-gateway static tunnel and a 
table ( Table 5-2 on page 5-7) that shows all of the entries required to configure both endpoints of 
this static tunnel. 




192.168.0.4 



Figure 5-2: Static tunnel network diagram 
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Table 5-2: Static tunnel network example settings 



VPN Static Key 
screen fields 


Symantec FW/VPN 100 
settings 


Symantec FW/VPN 200 
settings 


IPvan VfV 11 1* 1 1\ : Accnfinflflll 1 






Name 


static_100_to_200 


static_200_to_100 


Enable/Disable 


Enable 


Enable 


Wan Port 


WAN1 


WAN 2 


PPPoE Session 


Session 1 


Session 1 


Incoming SPI 


257 


300 


Outgoing SPI 


300 


257 


Encryption and Authentication 
Method 


ESP DES MD5 


ESP DES MD5 


Encryption Key 


0X1234567890123456 


0X1234567890123456 


Authentication Key 


0X1234567890123456789012 


0X1234567890123456789012 


Remote Security Gateway: 






Gateway Address 


2.2.2.2 


1.1.1.1 


NetBIOS Broadcast 


Disable 


Disable 


Gobal Tunnel 


Disable 


Disable 


Remote Subnet 1 IP 


192.168.0.0 


192.168.100.0 


Remote Subnet 1 Mask 


255.255.255.0 


255.255.255.0 
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To configure a VPN with Dynamic Key 

VPN Dynamic Key 



IPSec Security Association 



Select Security! — f„ , - , . 

Association ' — ' Select only if Updating or Deleting existing configuration 

Update Fields Below | Seject SA abme fjm mSess Mdirig 



Name 

WAN Port 
PPPoE Session 

Phase 1 
Negotiation 
Encryption and 
Authentication Method 

SA Lifetime 

Data Volume Limit 

Inactivity Timeout 

Perfect Forward Secrecy 



Local Security Gateway 



ID Type 
Phasel ID 



Remote Security Gateway 



Gateway Address 
ID Type 

Phasel ID 

Pre-Shared Key 



Enable C Disable 
WAN 1 zl You must bind the VPN tunnel to a WAN Port 
Session 1 jj Select PPPoE session to bind VPN tunnel 
(~ Main Mode (™ Aggressive Mode 
AHMD5 21 



Minutes 
KBytes 
Minutes 
G Enable C Disable 



IP Address 



~3 



IP Address 



Enter 0. 0. 0. 0 for Client-to-Gateway tunnel 

T l Select Distinguished Name for Client-to-Gateviay tunnels 

Leave Phasel ID and Shared Secret blank for 

Client SA, Remote Client ID must match a 
User in Client List 



For Gateway-to-Gateway Tunnels.. 



Figure 5-3: VPN Dynamic Key screen part 1 



5-8 



To configure a VPN with Dynamic Key 



For Gate way -to -Gateway Tunnels. 



NetBIOS Broadcast C Enable & Disable 
Global Tunnel C Enable (* Disable 
Remote Subnet 1 |p 
Remote Subnet 2 |p 
Remote Subnet 3 |p 
Remote Subnet 4 |p 



Remote Subnet 5 |p |~ 



Mask 
Mask 
Mask 
Mask 
Mask f 



Add 


Delete | 


Update Entry 


Clear Form 


Cancel | 



Security Association List 



Status Name Security Gateway 



Remote Subnet 



Encryption Method 



Figure 5-4: VPN Dynamic Key screen part 2 

1 . From the Main Menu, select VPN - Dynamic Key. 

2. In the Name field, enter a descriptive name for the Security Association. 

3. Click the Enable radio button. 

4. From the WAN drop down list, select a WAN port. 

5. From the PPPoE Session drop down list, select the Session number. 
Use Session 1 if you only have one session available from your ISP. 

6. Click the Main Mode or Aggressive Mode radio button to set the Phase 1 Negotiation 
Mode. 

Main Mode uses an exchange of six messages to validate the identity of the initiator and 
respondent. By default, main mode uses IP addresses to identify the VPN gateways. 
However, this may be overwritten with a string label if the address of the gateway is 
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NATted on the network. Main Mode provides the most protection from encryption based 
denial of service attacks. 

Aggressive Mode uses three message exchanges between the initiator and respondent 
during key negotiation. It does not depend on the IP address of the two devices, therefore 
it is often used for VPN tunnels where IP address are not known ahead of time. For 
example, telecommuters typically get a dynamic IP address from their ISPs, so nothing 
else is needed to identify the requestor. Typically in client-to-gateway configurations a 
user ID is the form of identification. 

7. From the Encryption Method drop down list, select an Encryption Method. 

8. In the SA Lifetime field, enter the life time in minutes that the Security Association will 
stay active before automatically rekeying. 

9. In the SA Data Volume Limit field, enter the amount of data in Kbytes that can pass 
through the VPN before the Security Association automatically rekeys. 

10. In the Inactivity Timeout Seconds field, enter the inactivity time in seconds before the 
VPN will automatically close down. 

1 1 . Click the Perfect Forward Secrecy Enable or Disable radio button to set Perfect 
Forward Secrecy (PFS) for a Diffie-Hellman exchange in IKE phase 2. 

12. Under Local Security Gateway, from the ID Type drop down list, select the IKE Phase 1 
negotiation ID type, IP Address or Distinguished Name. 

13. In the Phase 1 ID field, enter the value or name for the Phase 1 ID 
The default is IP address of the gateway when IP Type is selected. 

14. Under Remote Security Gateway, in the Gateway Address field, enter the Gateway 
Address of the Destination Network. 

The Gateway Address could be an IP address or the DNS name of the remote gateway. 
0.0.0.0 is reserved for client-to-gateway configurations. 

15. In the Pre-Shared Key field, enter your Pre-Shared Key. 

The Pre-Shared Key is a pre-defined key used by the two end points of a VPN tunnel to 
identify each other. 
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The Pre-Shared Key is a minimum of 20 characters and a maximum of 64 characters. 

16. Under For Gateway-to-Gateway Tunnels, click the Enable NetBIOS Broadcast radio 
button to forward Netbios broadcast packets. 

17. Click the Global Tunnel Enable or Disable radio button. 

Enabling the Global Tunnel for a VPN tunnel forces all outbound (Internet) traffic to go 
through the VPN tunnel. This is useful for security policies that call for all internal traffic 
to pass through a centralized gateway. 

18. In the Remote Subnet 1 IP field, enter the IP address of your Destination Network. 

The format for the Gateway Address is a minimum of seven digits ( x.x.x.x) and a 
maximum of fifteen digits (xxx.xxx.xxx.xxx). 

19. In the Remote Subnet 1 Mask field, enter the Subnet Mask of your Remote Subnet. 

If you have more than one Remote Subnet repeat the previous two steps for each 
additional Remote Subnet. 

20. Click Add to save your VPN Dynamic Key information and create your VPN. 

To update a VPN configuration using Dynamic Key 

1 . From the Main Menu, select VPN - Dynamic Key. 

2. From the Security Association drop down list, select a Security Association Name to 
view information about that Security Association. 

3 . Click Update Fields Below. 

4. Enter all new or changed information. 

5. Click Update Entry to save your changes and update the VPN. 

To delete a VPN configuration using Dynamic Key 

1 . From the Main Menu, select VPN - Dynamic Key. 
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2. From the Security Association drop down list, select a Security Association Name to 
view information about that Security Association. 

3. Click Delete to delete the VPN. 

Dynamic tunnel example 

The following example consists of a network diagram of a gateway-to-gateway dynamic tunnel 
and a table ( Table 5-3 on page 5-13) that shows all of the entries required to configure both 
endpoints of this dynamic tunnel. 




192.168.0.4 



Figure 5-5: Dynamic tunnel example 
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Table 5-3: Dynamic tunnel network example settings 



VPN Dynamic Key 

crrppn fiplHQ 

olflCCM IICIU3 


Symantec FW/VPN 100 

in 1 1 y o 


Symantec FW/VPN 200 

OCLLII 1 y ^> 


IPSec Security Association: 






Name 


dynamicIKE_100_to_200 


dynamicIKE_200_to_l 00 


Enable/Disable 


Enable 


Enable 


Wan Port 


WAN1 


WAN 2 


PPPoE Session 


Session 1 


Session 1 


Phase 1 Negotiation 


Main Mode 


Main Mode 


Encryption and Authentication 
Method 

IVlv III V VI 


ESP DES MD5 


ESP DES MD5 


SAT ifetime 

k_J 1 V 1 . 1 1 V 11 111 V* 


0 (0 inpans no limits 

W I \J 111\^ £111 0 11U 1 11111 1 J 


0 (0 mpans no limits 

W I \J IIIV'CIIIO 1 1 V/ 1111111 1 


Data. Volume Limit 


0 (0 means no limit) 


0 (0 means no limit) 


Tnaotivitv Timpont 

iiiuvii v iiy J- 1 1 1 1 v v/ w l 


0 (0 iTipans no limiti 

\J l W 1 1 IV- £11 lO 1 1 V 111111 1 1 


0 (0 mpans no limiti 

W 1 U lllV'ClllO 1 1 V' 111111 L 1 


Pprfpot Forward Spcrprv 

i W 1 1 W L J. Ul VV £11 VI l_> V V- 1 ^vy 


Fnahlp 

IjlluUlv 


Pnahlp 

J < 1 1 CI LI IV 


Local Security Gateway: 






ID Type 


TP Addrpss 

X± / V VI VI 1 vOO 


TP Addrpss 

AJ. l V VI VI 1 V oo 


Phase 1 TD 


blank 


blank 


Remote Security Gateway: 






Gateway Address 


2.2.2.2 


l.i.i.i 


ID Type 


IP Address 


IP Address 


Phase 1 ID 


blank 


blank 


Pre-Shared Key 


everygoodboydoesfine 


everygoodboydoesfine 


For Gateway-to-Gateway 
Tunnels: 






NetBIOS Broadcast 


disable 


disable 
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VPN Dynamic Key 
screen fields 


Symantec FW/VPN 100 
settings 


Symantec FW/VPN 200 
settings 


Global Tunnel 


disable 


disable 


Remote Subnet 1 IP 


192.168.0.0 


192.168.100.0 


Remote Subnet 1 Mask 


255.255.255.0 


255.255.255.0 



VPN Client Identity 



VPN Client Identity 



lUser Identity 1 


Select User 


T l Select on!}/ if Updating or Deleting current Users 




Update Fields Below | Select User above fjrst unless AddjnQ 


Enable \~ 


User Name 


Must match Client ID offered by remote VPN 


client 



Pre-Shared Key 



Add 


Delete | 


Update Entry 


Clear Form 


Cancel 



User List 



Name Enable? Pre-Shared Key 

Figure 5-6: VPN Client Identity screen 

The VPN Client Identity screen identifies and enables VPN Client users. It also defines Pre-Shared 
keys. 
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To add a new VPN Client user. 

1 . From the Symantec Firewall/VPN 200R Main Menu select Client Identity. 

2. Under User Identity, click Enable. 

3. In the User Name field enter your user name. 

4. In the Pre-Shared Key field enter your pre-shared key. 
The pre-shared key must be between 20 and 64 characters. 

5. Click Add. 
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6 



Utilities 



Backup / Analog / ISDN 



This screen lets you set up the Automatic Backup or Analog/ISDN connection information. You 
must connect an external modem (analog or ISDN) to the Symantec Firewall/VPN's serial port in 
order to use this feature. In backup mode, the Symantec Firewall/VPN will automatically dial when 
broadband drops. It will also automatically re-engage broadband when it comes back online. You 
can also manually engage the Analog/ISDN connection. 



Utilities 



Backup/Analog/ISDN 



Backup 



Enable V 



Connection 



Internet Access C Normal f ISDN or Analog Only (no Broadband) 
Hang Up Dial 



Save Cancel Refresh 



ISP Account Information 



User Name 
Password 

IP Address 
Dial-up Telephone 1 
Dial-up Telephone 2 
Dial-up Telephone 3 f 



Modem Settings 



Verify 



0 





0 




0 


> 



Provided by ISP 
Only digits, example: 2123335555 



Model [3J Initialization string for "Others" only: |AT&F 
Line Speed [7800 ^ Line Type Dial Up Line 
Dial Type |tone Dial String: |ATDT Redial String: |ATDL 
Idle Time Out [i Minutes 



Analog Status 



Port Status 
PPP Link 
Phone Line Speed 



Physical Link 
PPP IP Address 



Figure 6-1 : Backup/Analog/ISDN screen 



Backup / Analog / ISDN 



If your Internet connection type is Dynamic DHCP or Static IP, the Alive Indicator must be set. 
The Alive Indicator is used by the Symantec Firewall/VPN to determine whether that WAN 
connection is functioning or not even if traffic is idle on the WAN (needed for backup activation). 
Every 20 seconds, the unit pings the ISP's gateway or DNS to see if it is connected. Normally this 
is fine except some ISPs prevent pings to their gateways. Enter a www or IP address into this field 
for an additional ping test if the gateway does not respond (do not use the http:// prefix). Test by 
pinging manually first. Not used for PPPoE. 

To configure Backup/Analog /ISDN 

1 . Under Backup, check the Enable check box. 

When enabled, the Symantec Firewall/VPN connects automatically when broadband 
disconnects. 

2. Under Connection, in the Internet Access fields, check the Normal or ISDN or Analog 
Only (no Broadband) check boxes to identify your connection type. 

3. Click Hang Up or Dial to manually disconnect or connect to your ISP analog account. 
Note: Always click Save after altering settings. 

4. Under ISP Account Information, enter your Analog/ISDN ISP account information. 

a. In the User Name field, enter your Analog/ISDN ISP account user name. 

b. In the Password field, enter your Analog/ISDN ISP account password. 

c. In the Verify field, re-enter your Analog/ISDN ISP account password. 

d. In the IP Address field, enter your IP Address. 
Consult your ISP for the IP address. 

e. In the Dial-up Telephone 1 field, enter your ISP's dial-up number as a continuous 
string without any spaces or dashes. 

You can enter up to 3 phone numbers to dial if the first are busy. 

5. Under Modem Settings, enter your modem information. 

a. From the Modem drop down menu, select your modem type. 

Consult your modem's user manual for the best settings. Several modems are 
predefined. If your modem isn't listed, you'll need to select Others and enter an 
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initialization string for your modem. If you do not know what to enter for an 
initialization string consult your modem company. 

b. From the Line Speed drop down menu, select your ISP connection's line speed. 
If you have trouble connecting, lower the line speed. 

c. From the Line Type drop down menu, select your line type. 

Line type is usually Dial-Up but select Leased Line if this is your setup. 

d. Dial Type and Strings: 

Do not change these settings unless you do not have tone dial. Consult your modem 
manual if you want to change dial strings. 

In the Idle Time Out field, enter the inactivity time in minutes if you wish to 
automatically disconnect from your Analog/ISDN account after a period of inactivity. 

Enter 0 to leave the modem always on. 

Analog Status provides information useful for technical support should there be a problem with 
your PPP (Analog/ISDN) connection. 

Serial configuration console 

The Symantec Firewall/VPN can be configured or reset through the Serial port using the included 
Null Modem Cable connected to the COM port of a computer. This configuration console is very 
useful for installing the Symantec Firewall/VPN into an existing network. This prevents the 
Symantec Firewall/VPN from interfering with the network when it is connected. With the Serial 
Configuration console you can: 

• Change the LAN IP address from the default of 1 92. 1 68.0. 1 
Change the LAN Network Mask 

• Disable / Enable the DHCP Server (enabled by default) 

• Change the Start and Finish IP range for the DHCP server 
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To use the Serial console 

1 . Connect the Null Modem cable from your computer's COM port to the Serial port on the 
Firewall/VPN. 

2. Set DIP Switch 3 to ON (Down position) on the Firewall/VPN. 

3. Start up a terminal program (HyperTerminal is included with Windows). 

4. Set to connect directly to your COM port (usually COM1 or COM2). 

5. You must set the communications settings as follows to connect to the Firewall/ VPN : 



Baud 

(Bits per Second) 


9600 


Data Bits 


8 


Parity 


None 


Stop Bits 


1 


Flow Control 


None 



6. Once your terminal is connected with the above settings, press the Reset switch on the 
Firewall/VPN. You should see the console terminal screen appear. 



1. Local il' Hddress: IM.W.Q.l 

?. Local Hetwnrl* Mask: ?5S .P55 . ?55. 0 

3. UHCI' Se-rw (liErtabk, 2:Ui5flblt) 

4. Start TP Address : 19?.1f>fi.(l. ? 

5. Finish IP Address: 152,168.8.51 
fi. Restore to default 
7, Sawa 

Select ?_ 



Figure 6-2: Console terminal screen 

7. Make your selections and remember to select SAVE (7) after you are done. 

8. Set DIP Switch 3 to OFF (up) position after using the Console. 
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Manual reset 



Sometimes by making an incorrect setting in the LAN IP & DHCP screen or forgetting your 
configuration password will prevent you from accessing the unit. Pressing the Reset switch on the 
unit will not restore these default IP settings or erase the password. You must follow the steps 
below to regain connectivity with the Firewall/VPN. 

This procedure does the following: 

• Restores the unit's IP address to the default: 192.168.0.1 

• Restores the unit's network mask to the default: 255.255.255.0 

• Clears the interface password 

• Enables the DHCP Server 

To manually reset the Symantec Firewall/VPN 

Note: Read these steps completely before starting to reset the Firewall/VPN. 
Note: You'll need a paper clip for this procedure. 

1 . Turn off power to the Symantec Firewall/VPN by pulling the power plug from the back of 
the unit. 

2. Set DIP switch 1 to ON (down) 



mm 



3 



Insert the power plug back into the unit and WAIT 4 SECONDS 



4 



Immediately, using the paper clip, Flip DIP switch 1 OFF (UP), 



5 



Flip DIP switch 1 ON (DOWN) again. 
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6. Flip DIP switch 1 OFF (UP). 

This re -boot sequence should be completed within 10 seconds of plugging in the power to 
the Firewall/VPN. 

7. When you see LAN Link LEDs flash and the Reset Sequence begins again, the unit is now 
reset. 

8. Remove the power plug. 

9. Wait for a moment and re-insert the power plug. 

It is important that you do not wiggle the switch to quickly. Use slow smooth movements. Practice 
Step 4 with the power off before trying for the first time. 

The unit should now have its IP & network mask defaults and password cleared. 

Configuration back up 

The Symantec Firewal 1/VPN lets you back up the configuration settings you made through the user 
interface should something happen to the unit. This procedure results in a small file that can be put 
on a floppy and into a firesafe box or other safe place. 

To perform these steps, you will need to use the "nxtftpw" utility. There are two versions of the 
"nxtftpw" utility; a Windows (Win95/98/ME/NT & 2000) version and a DOS version. Both are 
available on the CD in the Utilities directory. The following procedure uses the Windows version. 

To retrieve the backup file 

1. Power off the unit by pulling the power plug from the back of the Firewall/VPN. 

2. Flip DIP switch 1 and 2 to the ON position (DOWN) 

3. Put the power plug back into the Firewall/VPN. 

4. Copy the nxtftpw utility from the CD to a folder on your hard drive. 

5. Double -click the nxtftpw icon. 

6. Enter the IP address of the Symantec Firewall/VPN into the Server IP field (should be 
192.168.0.1 unless you changed it). 
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7. Enter any filename for the backup file into Local File ("config" works). 

8. Press the Get button. 

After a moment; a file named config will appear into the same folder that the nxtftpw 
application was in. You can now take this file and copy it to a floppy for safe keeping. 

9. You can now return DIP switches 1 & 2 to OFF. 



View Log 

The Symantec Firewall/VPN View Log screens displays a record of system events. 



View Log 



UTC Time 



Message 



Source 



Destination 



Note 



Figure 6-3: View Log screen 

Log Settings 

This screen lets you set the type of log entries recorded and to set log forwarding parameters. Logs 
generated on the Symantec Firewall/VPN are buffered in a limited memory space. When the log is 
full, new entries overwrite the oldest ones so it is best to have the log forwarded. 
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Log Settings 



Forwarding 



Syslog Serve 



Enter IP or Domain of a host running 



standard Syslog utility 



SMTP Serverf 
Email Sender|~ 
Email Receiver |~ 
Email Log 



Log Type 



System R System activity, connection status 

Debug l~~ Debug information 

Blocked I - Blocked packets by access filter 

Dropped W Dropped packets by rule of "firewall 

Attack F Detected attack 



Alternate NTP Server f 



, If using an NTP proxy, enter it here. 
Othewise standard NTP servers are 
used 



Save | Cancel | Clear Log | 



Figure 6-4: Log Settings screen 



To configure Log Settings 



1 . Under Forwarding, in the Syslog Server field, enter the IP address of a host running a 
standard Syslog utility to receive the Log file. 

2. In the SMTP field, enter the IP address or URL of the SMTP server you want to receive 
the Log file in the SMTP Server under Email Settings. 

3. In the Email Sender field, enter the email address of the sender of the email. 
The Email Sender field holds a maximum of 39 characters. 

4. In the Email Receiver field, enter the receiver of the Email. 
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The Email Receiver field holds a maximum of 39 characters. If you want more than one 
receiver, separate them using a comma. 

5. Under Log Type, check the boxes for the types of messages you want to log. 

6. Under Time, in the Alternate NTP Server field, enter the IP address of the alternate NTP 
Server. 

If you are using a proxy or are behind a firewall that requires an NTP gateway, enter its IP 
address here. Otherwise standard NTP servers will be used to obtain the time for log 
entries. 

7. Click Save. 
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7 



Configuring the Symantec 
Firewall/VPN to the 
Symantec Enterprise VPN 



The Symantec Firewall/VPN offers the ability to create tunnels between itself and a Symantec 
Enterprise VPN Server (SEVPN). This tunnel can either be created statically, or dynamically using 
IKE. This chapter outlines the steps necessary to create both static and dynamic tunnels. 

Note: This chapter focuses on the steps needed on the Symantec Firewall/VPN only. This 
chapter assumes that the SEVPN is already configured and information on that 
configuration is available. Refer to the applicable sections in the Symantec Enterprise 
Firewall and Symantec Enterprise VPN Installation Guide and the Symantec Enterprise 
Firewall and Symantec Enterprise VPN Configuration Guide if you need help configuring 



the SEVPN. 



Configuring the Symantec Firewall/VPN to the Symantec Enterprise VPN 




Figure 7-1: Symantec Firewall/VPN connecting to Symantec Enterprise VPN 

Static tunnel 

Static tunnels are configured by specifying all of the key information for the tunnel on both ends. 
Each end must match identically for the tunnel to work properly. Static tunnels can use either DES 
or 3DES strength for encapsulation. 
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Symantec Firewall/VPN Static tunnel configuration 




10.10.10.4 



Figure 7-2: VPN - Static tunnel diagram 

On the Symantec Firewall/VPN appliance, select the VPN - Static option from the configuration 
page. You should be presented with a screen similar to Figure 7-3 on page 7-4. 
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VPN Static Key 



€> 



IPSec Security Association 



Select Security I — f ._. , ^ , . 

Association I — Select only if Updating or Deleting existing configuration 

Update Fields Below | Seiect SA above firat unteiSS Adding 



Narne|200_to_SEVPN| 



WAN Port 
PPPoE Session 
Incoming SPI 



(• Enable C Disable 

WAN 1 zl You must bind the VPN tunnel to a WAN Port 
Session 1 Select PPPoE session to bind VPN tunnel 



257 | 

Outgoing SPI [257 

A, h t En ^ yP M n t rJ|ESPDESMD5 J 
Authentication Method 1 — 1 

Encryption Key 



0X1234567890123456 



Authentication Key 0X12345678901234567890123456789012 




Remote Security Gateway 


Gateway Address |l 92.1 68.40.1 
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NetBIOS Broadcast C Enable & Disable 
Global Tunnel C Enable (• Disable 
Remote Subnet 1 |p 
Remote Subnet 2 |p 
Remote Subnet 3 |p 
Remote Subnet 4 |p 
Remote Subnet 5 |p 



Mask 
Mask 
Mask 
Mask 
Mask 



255.255.255.0 



Add | 


Delete | 


Update Entry 


Clear Form 


Cancel | 



Figure 7-3: VPN Static configuration screen 
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Initially, the screen you see should be blank with a few of the defaults entered. In order to properly 
configure a static tunnel you will need the following information from the SE VPN : 

• Gateway IP address of the SEVPN. 

• Destination network protected by the SEVPN. 

• Netmask of the destination network protected by the SEVPN. 

• Local SPI. 

• Remote SPI. 

• Encryption parameters on SEVPN (DES, 3DES, SHA1, etc.) 

• Privacy Algorithm Key. 

• Integrity Algorithm Key. 
To configure the tunnel: 

1 . In the Name field, enter a new name for this tunnel. 

2. Check Enable. 

3. Select the WAN Port you want to bind the VPN tunnel to. 

4. Select the PPPoE Session you want to bind the tunnel to. 

5. Set the Incoming SPI to match the Remote SPI from the SEVPN. 

6. Set the Outgoing SPI to match the Local SPI from the SEVPN. 

7. Select the Encryption and Authentication Method to match the parameters from the 
SEVPN. 

8. Set the Encryption Key to match the Privacy Algorithm Key from the SEVPN. If you are 
using 3DES you will need to append together the three keys from the SEVPN to form one 
key. 

9. Set the Authentication Key to match Integrity Algorithm Key on the SEVPN. 

10. Set the Gateway Address to be the Gateway Address of the SEVPN. 
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1 1 . Check Disable for NetBIOS Broadcast. 

12. Check Disable for Global Tunnel. 

13. Set Remote Subnet to the destination network protected by the SEVPN. 

14. Set Mask to the netmask of the destination network protected by the SEVPN. 

15. Click the ADD button to add the new tunnel to the system. 

The tunnel should now be operational on both ends. You should verify this by opening up a DOS 
command line, and pinging a running machine on the remote network. 

SEVPN Static tunnel configuration 

The following table contains a brief list of the steps to configure the SEVPN. 



Table 7-1: SEVPN configuration steps 



Configuration Steps 


Symantec Enterprise Firewall and 
Symantec Enterprise VPN 
Configuration Guide - Chapter 


1. Create a Security Gateway for the 
SEVPN. 


Defining Security Gateways 


2. Create a Subnet for the Local 
Network. 


Defining Subnet Entities 


3. Create a Security Gateway for the 
Symantec Firewall/VPN appliance. 


Defining Security Gateways 


4. Create a Subnet for the remote 
network. 


Defining Subnet Entities 


5. Create a Secure Tunnel, making 
sure to select one of the static 
policies, configure the keys and set 
the SPIs. 


Configuring Secure Tunnels and Configuring 
an IPsec Static VPN Policy 
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Dynamic tunnel 



Dynamic tunnels differ from static tunnels in that both ends of the tunnel exchange the encryption 
keys dynamically. You do not have to configure these ahead of time. 




192.168.0.3 J |L 

10.10.10.4 



Figure 7-4: VPN Dynamic tunnel diagram 

Symantec Firewall/VPN Dynamic tunnel configuration 

On the Symantec Firewall/VPN appliance, select the VPN - Dynamic option from the 
configuration page. You should be presented with a screen similar to Figure 7-5 on page 7-8. 
Initially, the screen you see should be blank, with a few of the defaults entered. In order to properly 
configure a dynamic tunnel, you will need the following information from the SEVPN: 

• Gateway IP address of the SEVPN. 

• Shared Secret. 

• Destination network protected by the SEVPN. 

• Netmask of the destination network protected by the SEVPN. 

• Encryption parameters on SEVPN (DES, 3DES, SHA1, etc.) 
Perfect Forward Secrecy setting. 
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VPN Dynamic Key 



IPSec Security Association 



Select Security 
Association 



WAN Port 
PPPoE Session 

Phase 1 
Negotiation 
Encryption and 
Authentication Method 

SA Lifetime 

Data Volume Limit 

Inactivity Timeout 

Perfect Forward Secrecy 



Local Security Gateway 



ID Type 
Phasel ID 



Remote Security Gateway 



Gateway Address 
ID Type 
Phasel ID 
Pre-Shared Key 



200_to_sevpn ^ Select only if Updating or Deleting existing configuration 
Update Fields Below | Select SA above first unless Adding 



200_to_sevpn 

f* Enable Disable 

WAN 1 You must bind the VPN tunnel to a W AH Port 



Session "! Select PPPoE session to bind VPN tunnel 
* Main Mode Aggressive Mode 
ESP3DES SHA1 



Minutes 
KBytes 
Minutes 



Enable ** Disable 



IPAddress 



Enter 0 0 0 0 for Client-to-Gateway tunnel 
| Select Distinguished Name for Ciient-to-Gateway tunnels 



' Leave Phasel ID and Shared Secret blank for Client SA, Remote Client ID must 
match a User in Client List 



012345G789012345G7G9 



For Gateway-to -Gateway Tunnels.. 



NetBIOS Broadcast C Enable S Disable 
Global Tunnel O Enable & Disable 
Remote Subnet 1 IP |1 0.1 0.1 0.0 



Mask |255.255.255.0 



Remote Subnet 2 |p |~~ 
Remote Subnet 3 |p |~ 
Remote Subnet 4 |p | 
R e rn ot e Subnet 5 |p | 



Mask |~ 
Mask |~ 
Mask |~ 
Mask |~~ 



Add 



Delete | Update Entry | Clear Form | Cancel | 



ISecurity Association List I 


Status Name 


Security Gateway 


Remote Subnet 


Encryption Method 


Connected ike_2D0_to_1D0 


132.16B.40.63 


132. 16B. 100.0- 255.255.255 0 




Enabled 200 to sevpn 


132. 16B. 40.1 


10.10.10 0- 255.255 255.0 





Figure 7-5: VPN Dynamic configuration screen 
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To configure the tunnel: 

1 . In the Name field, enter a new name for this tunnel. 

2. Check Enable. 

3. Select the WAN Port you want to bind the VPN tunnel to. 

4. Select the PPPoE Session you want to bind the tunnel to. 

5. Check Main Mode for Phase I Negotiation. 

6. Select the Encryption and Authentication Method to match the parameters from the 
SEVPN. 

7. Check the option for Perfect Forward Secrecy to match the SEVPN configuration. 

8. Under the Remote Security Gateway, set the Gateway Address to be the Gateway 
Address of the SEVPN. 

9. Set ID Type to IP Address. 

10. Set Pre-Shared Key to the be the Shared Secret from the SEVPN. 

1 1 . Check Disable for NetBIOS Broadcast. 

12. Check Disable for Global Tunnel. 

13. Set Destination Network 1 Network to the destination network protected by the SEVPN. 

14. Set Mask to the netmask of the destination network protected by the SEVPN. 

15. Click the ADD button to add the new tunnel to the system. 

The tunnel should now be operational on both end. You should verify this by opening up a DOS 
command line, and pinging a running machine on the remote network. There will be a small delay 
and the initial ping response will time out. This period of time is when the keys are exchanging 
between both ends of the tunnel. 
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SEVPN Dynamic tunnel configuration 

The follwoing table is a brief list of the steps to configure the SEVPN. 



Table 7-2: SEVPN Dynamci tunnel configuration steps 



ouiiTiyur diiun oicpa 


Symantec Enterprise Firewall and 

Qumontaf^ Entarnrico \/DKI 

oymdnicu cnicrpriac vr in 
Configuration Guide - Chapter 


1. Create a Security Gateway for the 
SEVPN. 


Defining Security Gateways 


2. Create a Subnet for the Local 
Network. 


Defining Subnet Entities 


3. Create a Security Gateway for the 

Symantec Firewall/ VPN appliance. 


Defining Security Gateways 


4. Create a Subnet for the remote 
network. 


Defining Subnet Entities 


5. Create a Secure Tunnel, making 
sure to select one of the static 
policies, configure the keys and set 
the SPIs. 


Configuring Secure Tunnels and Configuring 
an IPsec Static VPN Policy 
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Connecting to Symantec 
Enterprise VPN Client 



The Symantec Enterprise VPN Client software enables a remote personal computer (PC) to safely 
send information in a secure tunnel through the Internet to a private network that is protected by the 
Symantec Firewall/VPN 200R. Symantec Enterprise VPN Client connects the PC to the Symantec 
Firewall/VPN which provides secure access to the private network. To create a secure tunnel you 
must configure both ends of the tunnel. One end is the Symantec Firewall/VPN 200R and the other 
end is the Symantec Enterprise VPN Client. The following sections describe how to configure both 
end points of the Symantec Enterprise VPN Client to Symantec Firewall/VPN 200R secure tunnel. 

Symantec Enterprise VPN Client can also be configured behind the Symantec Firewall/VPN 200R. 
In a behind the Symantec Firewall/VPN configuration, the Symantec Enterprise VPN Client can 
enable secure tunnels that pass through the Symantec Firewall/VPN 200R to remote gateways. 

By default the Symantec Firewall/VPN can multiplex several IPSec pass through connections over a 
single IP adress. 

Note: You can not connect through an IPSec pass through connection to a VPN Gateway that has 
been defined in a VPN tunnel locally. 




Connecting to Symantec Enterprise VPN Client 




Computer 



Figure 8-1 : Symantec Enterprise VPN Client configurations 

To ensure the safe transmission of data in the tunnels, Symantec Enterprise VPN Client uses a suite 
of standardized security protocols including the Internet Security Association and Key 
Management Protocol (ISAKMP), the Internet Key Exchange (IKE) policy, and the IP Security 
(IPSec) protocol. 

Access to Symantec Enterprise VPN Client is password protected to prevent others from creating 
tunnels into the Symantec Firewall/VPN 200R, even if your computer is stolen. For added security, 
Symantec Enterprise VPN Client includes a personal firewall which restricts the ports through 
which data packets can be received. 

Configuring Symantec Enterprise VPN Client with 
Symantec Firewall/VPN 200R 

Security gateways must be configured at both the Symantec Firewall/VPN and in Symantec 
Enterprise VPN Client. Every gateway can accommodate multiple tunnels. Therefore, when you 
add or remove a security gateway from the Symantec Enterprise VPN Client database, you are also 
adding or removing all of the tunnels that are associated with the security gateway. 
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Computer 
192.1 68.0.3 



Figure 8-2: Symantec Enterprise VPN Client Remote Tunnel Configuration 

Tunnels must be connected each time you reboot your PC. After the gateways and tunnels are 
connected, they remain connected until you disconnect them, an inactivity timeout occurs, a dial- 
up connection is lost, you exit Windows or shut down Symantec Enterprise VPN Client. 

Configure Symantec Firewall/VPN 200R for a dynamic tunnel to 
Symantec Enterprise VPN Client 

1 . From the Symantec Firewall/VPN 200R Main Menu, select Client Identity. 
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VPN Client Identity 



User Identity 



Select User Select only if Updating or Deleting current Users 

Update Fields Below | Se j ect User above fkat un!ess Adding 

Enable \~ 

| Must match Client ID offered by remote VPN 



User Name 



client 



Pre-Shared Key f 



Add 


Delete | 


Update Entry 


Clear Form 


Cancel | 



User List 



Name 



Enable? 



Pre-Shared Key 



Figure 8-3: Client Identity screen 

2. Under User Identity, click Enable. 

3. In the User Name field enter a user name. 

4. In the Pre-Shared Key field enter your pre-shared key. 

5. The pre-shared key must be between 20 and 64 characters. 

6. Click Add. 

7. From the Symantec Firewall/VPN 200R Main Menu, select VPN Dynamic Key. 

8. Under IPSec Security Association, in the Name field enter a descriptive name. 

9. Click the Enable radio button to enable the security association. 

10. In the Phase 1 Negotiation field, click the Aggressive Mode radio button. 
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11. In the Encryption and Authentication Method list, select a method. 

This method must match the encryption and authentication method you use when 
configuring the Symantec Enterprise VPN Client end of the tunnel. 
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VPN Dynamic Key 



IPSec Security Association 



Select Security I — r , „ , ■ 

Association ' — ' Select only if Updating or Deleting existing configuration 

Select SA above first unless Adding 



Update Fields Below 


|vpnclient 





Enable C Disable 
PPPoE Session | Session 1 Select PPPoE session to bind VPN tunnel 

Phase 1 j~ ^ gm |vi ode ^* Aqqressive Mode 
Negotiation 33 

a + k t E T P, i3 n ,^|ESPDESMD5 J 
Authentication Method 1 — 1 



SA Lifetime 
Data Volume Limit 



480 



2100000 



Minutes 
KBytes 
Minutes 



Inactivity Timeout 0 
Perfect Forward Secrecy (* Enable (~ Disable 



Local Security Gateway 


ID Type | IP Address j_ 




Phasel ID 


Remote Security Gateway 


Gateway Address 0.0.0.0 


Enter 0. 0. 0. 0 for Client-to-Gateway tunnel 



ID Type 

Phasel ID 
Pre-Shared Key 



For G ate way-to -Gateway Tunnels. 



NetBIOS Broadcast C Enable Disable 
Global Tunnel C Enable C Disable 
Remote Subnet 1 |p |~ 



(Distinguished Name J Select Distinguished Name for Client-to-Gateway 
tunnels 



Leave Phasel ID and Shared Secret 
blank for Client SA, Remote Client ID 
must match a User in Client List 



Mask 



Figure 8-4: VPN Dynamic Key screen 
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12. In the SA Lifetime field enter the number of minutes the security association will last 
before rekeying. 

The SA Lifetime number of minutes should match the Time expiration of the Symantec 
Enterprise VPN Client as entered on the Symantec Enterprise VPN Client VPN Policy 
screen. See Table 8-1, Symantec Enterprise VPN Client configuration on page 8-8 . 

13. In the Data Volume Limit field, enter the number of Kbytes that can pass through the 
tunnel before the security association rekeys. 

The Data Volume Limit number of Kbytes should match the Symantec Enterprise VPN 
Client as entered on the Symantec Enterprise VPN Client VPN Policy Timeouts tab. 

14. In the Inactivity Timeout field, enter the inactivity timeout in minutes. 

The Inactivity Timeout value should match of the Symantec Enterprise VPN Client as 
entered on the Symantec Enterprise VPN Client VPN Policy Timeouts tab. 

15. In the Perfect Forward Secrecy field, click the Enable radio button. 

16. Under Remote Security Gateway, in the Gateway Address field enter 0.0.0.0 

17. In the ID Type field, select Distinguishing Name. 

You do not need to enter a Phase 1 ID because the Symantec Firewall/VPN automatically 
searches its database for a matching user IDs. 

18. Click Add. 

The Symantec Firewall/VPN 200R endpoint of the tunnel is now configured. 

Configure Symantec Enterprise VPN Client for a Dynamic tunnel to 
Symantec Firewall/VPN 200R 

The following table outlines the steps required to configure Symantec Enterprise VPN Client for a 
Dynamic Tunnel to the Symantec Firewall/VPN 200R. See the Symantec Enterprise VPN Client 
Administrator's Guide for more information. 
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Table 8-1: Symantec Enterprise VPN Client configuration 



Configuration Steps 


Symantec Enterprise VPN Client 
Configuration Guide Chapter - 
Section - Subsection 


1 . Launch Symantec Enterprise VPN 
Client. 


Getting Started 


2. Create a new Gateway. 


Managing Gateways - Adding a Gateway 


3 . Enter the Outside Address ( or the 
DNS Name ) of the Symantec 
Firewall/VPN 200R. 


Managing Gateways - Adding a Gateway 


4. Uncheck Symantec Firewall/ 
Power VPN. 


Managing Gateways - Adding a Gateway 


5. Enter Shared Secret. 


Managing Gateways - Adding a Gateway 


6. Enter Client ID. 


Managing Gateways - Adding a Gateway 


7. Create a new IKE policy with unique 
name or use one of the predefined 
policies. 


Managing Gateways - Adding a Gateway - 
Defining an IKE Policy 


8. Create a new tunnel. 


Managing Tunnels - Adding a Tunnel 


9. Enter the inside subnet of the 
Symantec Firewall/VPN 200R. 


Managing Tunnels - Adding a Tunnel 


10. Create a new VPN policy or use a 
predefined policy. 


Managing Tunnels - Adding a Tunnel - 
Defining a VPN Policy 


1 1 . Connect tunnel. 


Managing Tunnels - Connecting a Tunnel 
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Trouble Shooting 



Problem 1: Can not connect to the Symantec Firewall/VPN to 
configure it. 

Solution: Check the following: 

• The Symantec Firewall/VPN is properly installed, network connections are OK and the 
Symantec Firewall/VPN is powered ON. 

• Ensure that your PC and the Symantec Firewall/VPN are on the same network segment. If 
you are installing the Symantec Firewall/VPN for the first time, ensure that your PC is 
using an IP Address within the range 192.168.0.2 to 192.168.0.255 thus compatible with 
the Firewall/VPN's default IP Address of 192.168.0.1. 

Verify that the Subnet Mask be set to 255.255.255.0 in order to reach the Firewall/VPN.In 
Windows, you can check these settings by using Control Panel-Network to check the 
Properties for the TCP/IP protocol in use by your network card. 

• Check and make sure you do not have any proxy settings in your browser. If you have a 
computer directly connected to the Symantec Firewall/VPN make sure you are using a 
Straight-Thru Cable provided with the unit or bought at your local network supply store. 

• Make sure your NIC card is 10/100BaseT compatible. 

Problem 2: When I enter a URL or IP address I get a time out error. 

Solution: Try the following troubleshooting steps: 




Trouble Shooting 



• Check if other computers work with the same URL. If they do, ensure that your 
computer's IP settings are correct (IP address, Subnet Mask, Default gateway and DNS). 

• Make sure you have used an IP range that is not in use by any service provider 

(192. 168.X.X or 10.X.X.X) If the other computers can not connect as well, make sure you 
have properly connected the Symantec Firewall/VPN as shown in Installation. 

• If the Symantec Firewall/VPN is configured correctly, check your Internet connection 
(xDSL/Cable modem etc) directly with your computer to ensure that it is working 
correctly. 

Problem 3: Some applications do not run properly when using the 
Firewall/VPN. 

Solution: Use the Special Applications screen to allow the use of special Internet applications. 

• The Symantec Firewall/VPN processes the data passing through it, so it is not transparent. 
The application may require the release of TCP and UDP ports that would otherwise not 
function correctly. Please refer to the software manufacturer's web site for information 
about using their application with firewalls. 

• If you still have a problem you can use the Exposed Host function. This should work with 
almost every application, but: It is a security risk, since the firewall is disabled for the 
exposed PC. Only one (1) PC can use this feature. When the Exposed Host feature is being 
used, the Special Applications and Virtual Server features should be disabled. 

Problem 4: PPPoE will not authenticate. 

Solution: PPPoE needs to be setup properly or you may need to upgrade your firmware. Below are 
some known issues. 

• Please remember to click Save after entering all your options in the PPPoE setup screen. 

• User name and Password need to be exactly as your provider requires (Upper Case Lower 
Case). Service name suffix may be needed to connect. Check with your provider to make 
sure that you are using the correct username and password along with any suffixes that 
may be required. 

• You can try using your user name plus the "@" sign: The domain. extension of your service 
provider. Example: John@sympatico.ca If your provider is supporting services, the Get 
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Services button on the Advanced PPPoE screen will provide the same effect without the 
need of the suffix. 
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PTER 




Firmware 



Upgrades 



The Symantec Firewall/VPN does its job by following a set of instructions that are coded into its 
permanent memory. These instructions are called Firmware. The Firmware contains all of the 
features and functionality of the Firewall/VPN. 

These firmware upgrades are available from Symantec's home page. Your current firmware version 
number is available from the Status interface screen. If it is older than the firmware on the website, 
you can download that firmware to update your Symantec Firewall/VPN. 

The following procedure assumes you have the unit on its default IP of 192.168.0.1 - Replace the IP 
in the instructions below if you have changed this. 

Performing a firmware upgrade might erase your configuration settings (this is usually not the case, 
but certain firmwares could have this effect). Please take note of your settings before upgrading the 
firmware. You should not use a configuration backup file from an older firmware to restore your 
settings. 

To upgrade you'll need the firmware you downloaded from Symantec's website and the nxtftp 
utility, which is available on the CD in the Utilities folder (there is both a Windows and DOS 
command there - we'll use the DOS command here). Put both the new firmware and the nxtftp 
utility into a temp folder on your hard drive. 

Note: If you have a computer other than Windows, you can use that computer's TFTP command, 
set to binary option, to perform this same procedure (TFTP is fairly universal and is 
available on Macintosh, Unix, Linux, etc.). 



Firmware Upgrades 

To upgrade firmware 

1. Power off the unit by pulling the adapter plug from the back of the Firewall/VPN. 

2. Flip DIP switch 1 & 2 to the ON position (DOWN) 

3. Put the power plug back into the Symantec Firewall/VPN. 

4. Open up a DOS prompt by clicking Start then Run. . . Type command and click OK. 

5. CD to your temp folder with the firmware and nxtftp command. 

6. Type nxtftp 192.168.0.1 PUT <firmware name> and press Enter. 

7. After a few moments you should see a "success" message. . . If not, reboot your computer 
and try again. 

8. Return the DIP switches to their normal positions. 
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